By vendor
Erlang vulnerabilities
Known CVEs affecting Erlang products, prioritized by severity, with SEC.co remediation and detection guidance.
7 published vulnerabilities
- CVE-2026-49759HIGH 8.2
A stack-based buffer overflow exists in Erlang OTP's SCTP handling code that allows an unauthenticated attacker to crash the BEAM virtual machine. The vulnerability lives in how the inet_drv component processes SCTP ERROR chunks—specifically, it writes data into a fixed-size array without validating how many cause codes are being written. An attacker who can reach an open SCTP port can send a specially crafted ERROR chunk that overflows this buffer, terminating the entire Erlang VM process. While the nature of the overflow limits the attacker to causing a denial of service (they cannot reliably execute code), the impact to availability is severe. There is also a minor risk of memory disclosure, though any leaked data would already be accessible to users running the VM.
- CVE-2026-48855MEDIUM 6.5
A vulnerability in Erlang OTP's SSH file transfer module allows authenticated SFTP users to discover the absolute filesystem path of the server's SFTP root directory. When a user creates a symbolic link pointing outside the intended chroot jail, the server incorrectly reveals the backend absolute path instead of the restricted path visible to the client. This leaks infrastructure information—specifically filesystem paths—but does not expose file contents, credentials, or permit access beyond the intended boundary.
- CVE-2026-48856MEDIUM 6.5
Erlang's httpc HTTP client has a credential-leakage flaw in how it handles HTTP redirects. When a server sends a redirect response (3xx status), httpc automatically follows it to the new location while preserving the original Authorization and Proxy-Authorization headers—including any embedded credentials. An attacker controlling both the initial target server and the redirect destination can trick the client into sending credentials to an attacker-controlled domain. Since automatic redirects are enabled by default, this affects most applications using httpc unless they explicitly disable the feature.
- CVE-2026-48858MEDIUM 6.5
An attacker who controls or compromises an FTP server can trick Erlang/OTP applications into connecting to arbitrary internal hosts and ports by injecting a malicious IP address into the FTP PASV response. When the client application tries to read or write files, traffic gets redirected to the attacker's chosen target—enabling probes against internal infrastructure, cloud metadata services, or attacks on third-party hosts. The flaw exists in how Erlang's FTP client parses the PASV response without checking that the redirected address actually belongs to the FTP server it connected to.
- CVE-2026-48860MEDIUM 6.5
A flaw in Erlang/OTP's TLS-based distribution module allows an attacker with a valid certificate to bypass IP-address-based access controls on Erlang cluster nodes. The vulnerability stems from a logic error where the code checks the local socket address instead of the remote peer's address when validating whether a connecting node is on the allowed subnet. An attacker holding any CA-signed TLS certificate can exploit this to gain unauthorized access to Erlang RPC and code-loading functions on affected nodes.
- CVE-2026-49760MEDIUM 5.5
A stack-based buffer overflow exists in Erlang OTP's erl_interface library, specifically in the ei_s_print_term function. When this function processes Erlang terms with extremely large integer representations—those exceeding 2000 characters when encoded—it writes beyond the bounds of its internal 2000-byte stack buffer. The overflow is constrained to hexadecimal and decimal characters (0-9, A-F), which significantly limits the practical attack surface to denial of service rather than arbitrary code execution. The related ei_print_term function, which outputs to files instead of memory buffers, does not suffer from this flaw.
- CVE-2026-48859MEDIUM 5.3
A timing side-channel vulnerability in Erlang/OTP's SSH implementation allows attackers to discover valid usernames on an SSH server without authentication. When certain password authentication methods are enabled, the SSH daemon takes noticeably longer (~300ms) to reject logins for real usernames than for fake ones (~0ms). An attacker can exploit this timing difference to enumerate valid user accounts by measuring response times across many login attempts. The vulnerability only affects SSH servers using the legacy user_passwords or password configuration options, which are documented as test-only features; production deployments using the recommended pwdfun alternative are unaffected.