HIGH 8.2

CVE-2026-49759: Erlang OTP SCTP Buffer Overflow Denial of Service

A stack-based buffer overflow exists in Erlang OTP's SCTP handling code that allows an unauthenticated attacker to crash the BEAM virtual machine. The vulnerability lives in how the inet_drv component processes SCTP ERROR chunks—specifically, it writes data into a fixed-size array without validating how many cause codes are being written. An attacker who can reach an open SCTP port can send a specially crafted ERROR chunk that overflows this buffer, terminating the entire Erlang VM process. While the nature of the overflow limits the attacker to causing a denial of service (they cannot reliably execute code), the impact to availability is severe. There is also a minor risk of memory disclosure, though any leaked data would already be accessible to users running the VM.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Weaknesses (CWE)
CWE-120, CWE-121
Affected products
2 configuration(s)
Published / Modified
2026-06-10 / 2026-07-15

NVD description (verbatim)

Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk. The sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service. A crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited. This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the sctp_parse_error_chunk function within erts/emulator/drivers/common/inet_drv.c. This function parses SCTP ERROR chunks and writes cause codes into a stack-allocated ErlDrvTermData spec[] array without bounds checking. An attacker with an established SCTP association to a listening Erlang node can craft an ERROR chunk containing a large number of cause codes; each cause code is a 16-bit value interleaved with a fixed tag. When the function iterates through these codes and writes them to the fixed-size spec array, the stack buffer overflows. Because the attacker can only write 16-bit values in a fixed pattern, they cannot control the return address; exploitation is limited to crashing the process. The overflow may also leak fragments of VM memory that are returned in the error packet, but this data is not privileged—it is already readable by the Erlang process owner.

Business impact

Erlang-based services lose availability when an attacker triggers this vulnerability. Since the BEAM VM crash is triggered by a single crafted SCTP packet, an attacker can repeatedly cause denial of service with minimal effort. Erlang is used in telecommunications, real-time messaging systems, and distributed computing platforms where uptime is critical. Repeated crashes degrade service quality, trigger failover events, and may incur operational cost. The memory disclosure component is low-risk in most deployments since it only exposes data already visible to the VM process owner, but in multi-tenant or security-sensitive environments, any unintended memory leakage should be remediated.

Affected systems

This vulnerability affects OTP versions 17.0 through 27.3.4.12, 28.5.0.1, and 29.0.1. Users running any Erlang OTP release before version 27.3.4.13, 28.5.0.2, or 29.0.2 are at risk if their application uses SCTP or if SCTP is enabled on the node. The corresponding erts (Erlang RunTime System) versions are 6.0 through 15.2.7.8, 16.4.0.1, and 17.0.1. Deployments that do not use SCTP (and have it disabled) are not affected. Systems that are not exposed to untrusted SCTP traffic on the network are at lower risk, though network-adjacent attackers or compromised hosts on the same network segment can exploit this vulnerability.

Exploitability

Exploitability is straightforward from a technical perspective: the attacker needs only network access to an SCTP port on which Erlang is listening and must be able to establish an SCTP association. They then send a single malformed ERROR chunk. No authentication is required. The CVSS score of 8.2 (HIGH) reflects the ease of exploitation (network-accessible, no authentication, low complexity) balanced against the limitation that exploitation results in denial of service rather than code execution. The attack is not in any known exploited vulnerabilities (KEV) catalog as of the last update, but the low barrier to entry suggests the risk of weaponization is real. Organizations using SCTP in untrusted network environments or on internet-facing nodes should prioritize patching.

Remediation

Update Erlang OTP to version 27.3.4.13 or later, 28.5.0.2 or later, or 29.0.2 or later. The fix involves bounds checking in the sctp_parse_error_chunk function to ensure that cause codes do not overflow the spec array. Patching should be tested in a staging environment to confirm compatibility with running Erlang applications. In environments where immediate patching is not possible, consider disabling SCTP at the network or firewall level if the application does not require it, or restrict SCTP access to trusted hosts only. Verify patch application by confirming the erts version matches the expected release (15.2.7.9 or later, 16.4.0.2 or later, or 17.0.2 or later).

Patch guidance

Erlang OTP updates are released as distinct versions. Identify your current OTP version with erl -v. Consult the official Erlang release notes to confirm the correct target version for your release series. Test patches in a non-production environment first, particularly if your application relies on SCTP or has complex networking configurations. Rolling upgrades should be coordinated with your cluster's failover and load-balancing strategy to maintain service availability. After patching, verify the new erts version and confirm that SCTP functionality (if used) continues to operate normally.

Detection guidance

Monitor for sudden, unexplained BEAM VM crashes on nodes that accept SCTP traffic. Enable detailed SCTP logging and network monitoring on nodes exposed to untrusted SCTP sources. Intrusion detection systems can flag SCTP packets with unusually large ERROR chunks or malformed cause codes, though signature-based detection may be limited by protocol complexity. Application-level monitoring should track VM restart frequency and trigger alerts on anomalous crash patterns. If SCTP is not in use, auditing to confirm it is disabled provides a strong assurance that this vulnerability cannot be exploited.

Why prioritize this

This vulnerability merits high priority due to its network accessibility, ease of exploitation, and impact on availability. The CVSS 8.2 score and the lack of any mitigating factors (no authentication required, no user interaction) place it in the category of critical operational risk. Organizations running Erlang in production should treat this as a priority patch. However, the scope is limited to deployments that use SCTP; organizations that do not rely on SCTP can deprioritize if network segmentation is already in place to block SCTP traffic.

Risk score, explained

The CVSS 3.1 score of 8.2 reflects: Network-accessible attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction needed (UI:N), and a scope of unchanged (S:U). The confidentiality impact is low (C:L) due to limited memory disclosure, but the availability impact is high (A:H) because the VM crash completely denies service. The integrity impact is none (I:N) since the overflow does not enable data modification or code execution. This translates to a HIGH severity rating.

Frequently asked questions

If our Erlang application does not use SCTP, are we affected?

No. SCTP is not enabled by default in Erlang OTP. If you have not explicitly configured SCTP support or are not using SCTP-dependent code, you are not vulnerable to this issue. You can verify by checking your node configuration and confirming that no SCTP listeners are open. However, we still recommend updating to the patched versions for defense-in-depth and to address any potential future SCTP-related issues.

Can this vulnerability be exploited to execute arbitrary code?

No. The buffer overflow writes only 16-bit cause code values in a fixed pattern, which prevents the attacker from controlling the return address or injecting shellcode. Exploitation is limited to denial of service—crashing the BEAM VM process. Code execution is not possible with this vulnerability.

What does the memory disclosure aspect of this vulnerability mean?

When the buffer overflows, fragments of the BEAM VM's stack memory may be included in the SCTP ERROR response sent back to the attacker. However, this data is already readable by any user running the Erlang VM on that system. The disclosure scope is low because the attacker does not gain access to data that would not already be available to a local user. In most environments, this is a minor concern compared to the denial-of-service impact.

Do we need to disable SCTP entirely after patching?

No. Patching the vulnerability with the updated OTP version resolves the root cause. If SCTP is a required feature for your application, you can continue to use it after applying the fix. However, if SCTP is not needed, disabling it at the network or application level provides an additional layer of defense and reduces attack surface.

This analysis is provided for informational purposes to support vulnerability assessment and patch planning. It is not a substitute for vendor advisories or formal security assessments. Patch versions and affected ranges are derived from the published CVE record; verify them against official Erlang/OTP release notes before deploying patches. Exploitation scenarios are illustrative and do not constitute an endorsement or encouragement of unauthorized access to systems. Organizations should test patches in non-production environments and coordinate patching with their change management and business continuity processes. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).