MEDIUM 5.5

CVE-2026-49760: Erlang OTP Stack Buffer Overflow in erl_interface – Patch Now

A stack-based buffer overflow exists in Erlang OTP's erl_interface library, specifically in the ei_s_print_term function. When this function processes Erlang terms with extremely large integer representations—those exceeding 2000 characters when encoded—it writes beyond the bounds of its internal 2000-byte stack buffer. The overflow is constrained to hexadecimal and decimal characters (0-9, A-F), which significantly limits the practical attack surface to denial of service rather than arbitrary code execution. The related ei_print_term function, which outputs to files instead of memory buffers, does not suffer from this flaw.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-121
Affected products
2 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow. This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term. The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service. The companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug. This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in lib/erl_interface/src/misc/ei_printterm.c within the ei_s_print_term routine. This C function maintains a fixed 2000-character stack allocation for formatting Erlang terms into string representations. The buffer overflow occurs when processing specially crafted encoded Erlang terms containing integers whose string representation exceeds this fixed boundary. The overflow payload is constrained to ASCII characters 0x30-0x39 (0-9) and 0x41-0x46 (A-F), corresponding to valid hexadecimal digit representations. This character restriction prevents attackers from writing arbitrary machine instructions or return addresses onto the stack, effectively limiting the impact to stack corruption and process termination. The architectural design of ei_print_term—which writes unbuffered output directly to FILE streams—naturally avoids this class of error.

Business impact

Organizations deploying Erlang OTP in production environments face potential service disruption if untrusted or compromised systems can send specially crafted Erlang terms to affected erl_interface functions. The vulnerability does not enable data breach, privilege escalation, or lateral movement; instead, it permits a local or network-adjacent attacker with sufficient access to trigger denial of service against applications relying on erl_interface for inter-process or inter-node communication. For systems where Erlang OTP underpins mission-critical distributed applications—telecommunications, real-time messaging, or financial trading systems—availability impact may be significant, though the attack surface is narrower than for remote code execution vulnerabilities.

Affected systems

The vulnerability affects Erlang OTP versions 17.0 through 27.3.4.12 (inclusive), version 28.5.0.1, and version 29.0.1. Correspondingly, erl_interface library versions 3.7.16 through 5.5.2.0 (inclusive), version 5.7.0.0, and version 5.8.0 are impacted. Only code paths that invoke ei_s_print_term with untrusted encoded term data are at risk; applications using ei_print_term exclusively are unaffected. Binary distributions, source builds, and embedded deployments of Erlang OTP all carry the same risk if they include the vulnerable code path.

Exploitability

Exploitability is restricted to denial of service scenarios. An attacker must have the ability to cause ei_s_print_term to be invoked with a crafted Erlang term, which typically requires local access or network access to an interface that accepts encoded Erlang terms (such as erl_interface network listeners). The character constraints on the overflow payload—limited to hexadecimal digits—prevent conventional stack smashing attacks that would overwrite function return addresses or inject shellcode. The CVSS score of 5.5 (Medium, CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects local vector requirement, low attack complexity, low privilege requirement, and high availability impact with no confidentiality or integrity compromise.

Remediation

Upgrade affected Erlang OTP installations to patched versions immediately. For OTP 27.x track, update to 27.3.4.13 or later. For OTP 28.x track, update to 28.5.0.2 or later. For OTP 29.x track, update to 29.0.2 or later. These versions include fixes to ei_s_print_term that either expand the buffer, validate input length, or implement dynamic allocation to handle large integer representations safely. Verify patch application by confirming erl_interface library version changes in release notes. Organizations unable to patch immediately should review application configurations to restrict which entities can submit Erlang terms to erl_interface functions, though this is often impractical in distributed Erlang clusters.

Patch guidance

Erlang OTP releases are published through erlang.org and major Linux distributions. Obtain patches from the official Erlang/OTP GitHub repository (github.com/erlang/otp) or your distribution's package repositories. For OTP 27, 28, and 29 users, the corresponding maintenance releases (27.3.4.13, 28.5.0.2, 29.0.2) should be available as of the vulnerability publication date. Review the release notes for these versions to confirm inclusion of the ei_s_print_term fix. If using a commercial or embedded Erlang distribution, contact your vendor for patched binaries. Testing should focus on confirming that ei_s_print_term calls complete without segmentation faults or process termination when processing large integer terms.

Detection guidance

Monitor for unexpected process terminations or segmentation faults in Erlang virtual machines, particularly if your application logs or crash dumps show ei_s_print_term or ei_interface in the call stack. Network-based detection is challenging because the triggering input is a serialized Erlang term; however, unusually large term sizes on erl_interface ports may warrant investigation. Logging and metrics collection around erl_interface call failures or node disconnections can serve as indirect indicators. Implementation of input validation upstream of ei_s_print_term—such as rejecting Erlang terms with component sizes exceeding reasonable bounds—provides defense-in-depth.

Why prioritize this

Although the CVSS score is moderate (5.5), this vulnerability merits timely attention because (1) Erlang OTP is often deployed in high-availability, distributed systems where even brief availability loss is costly, (2) the attack surface, while narrower than remote code execution, is real in multi-node clusters or systems accepting external Erlang connections, and (3) patches are simple and widely available. Organizations running Erlang in production should prioritize patching within standard maintenance windows. Non-production or isolated Erlang development systems face lower risk and may defer patching.

Risk score, explained

The CVSS 3.1 score of 5.5 reflects: Local Attack Vector (no remote exploitation), Low Attack Complexity (straightforward to craft a large integer term), Low Privilege level required (any local process with Erlang node access), No User Interaction needed, Unchanged Scope, and High Availability impact (denial of service). Critically, the Confidentiality and Integrity impacts are None because the overflow is character-constrained and does not enable information disclosure or system modification. The Medium severity label appropriately captures that impact is limited to availability, and exploit requires local or trusted-network access.

Frequently asked questions

Can this vulnerability be exploited remotely?

Exploitation requires local access to the affected Erlang node or network access to an interface that accepts encoded Erlang terms. In typical Erlang deployments, the erl_interface network listeners are either firewalled or restricted to trusted cluster members, making remote exploitation unlikely. However, applications that expose Erlang term parsing to untrusted external inputs do face risk.

Does upgrading to the patched version require downtime?

Erlang OTP can often be hot-loaded or upgraded with minimal downtime using Erlang's built-in release upgrade mechanisms, but this depends on your application architecture. If you use a blue-green deployment or rolling restart strategy, downtime can be avoided or minimized. Consult your Erlang operations runbook to confirm upgrade procedures.

Are there workarounds if we cannot patch immediately?

Network segmentation and access control are the primary interim mitigations: restrict which systems can communicate with Erlang nodes via erl_interface, and disable erl_interface listeners if they are not essential. However, these are not complete substitutes for patching, especially in multi-node clusters where inter-node communication is critical.

Which Erlang OTP versions are safe?

OTP 27.3.4.13 and later, OTP 28.5.0.2 and later, and OTP 29.0.2 and later are safe. Versions prior to these thresholds are vulnerable. If you are running OTP 26 or earlier (outside the affected range documented above), you are unaffected by this specific CVE, but you should verify whether you are running OTP 17.0–27.3.4.12, 28.5.0.1, or 29.0.1 to confirm exposure.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. SEC.co makes no warranty regarding the completeness or accuracy of patch versions, and organizations must verify patch applicability against official Erlang/OTP release notes and security advisories. Exploitation impact may vary based on specific application configuration and network topology. Organizations should conduct thorough testing in non-production environments before deploying patches to critical systems. This vulnerability intelligence does not constitute security advice and should be reviewed in the context of your organization's risk management and change control processes. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).