Skip to main content

Otp CVE-2026-28810

| EUVDEUVD-2026-19582 MEDIUM
Generation of Predictable Numbers or Identifiers (CWE-340)
2026-04-07 EEF
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 07, 2026 - 08:30 euvd
EUVD-2026-19582
Analysis Generated
Apr 07, 2026 - 08:30 vuln.today
Patch released
Apr 07, 2026 - 08:30 nvd
Patch available
CVE Published
Apr 07, 2026 - 07:50 nvd
MEDIUM 6.3

DescriptionCVE.org

Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning.

The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers.

inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible.

This vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl.

This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11.

AnalysisAI

Erlang/OTP kernel inet_res DNS resolver uses predictable sequential transaction IDs and lacks source port randomization, enabling DNS cache poisoning attacks against systems relying on this resolver in untrusted network environments. Affects OTP 17.0 through 28.4.2 (and specific patch versions 27.3.4.10, 26.2.5.19); unauthenticated remote attackers who can observe or predict DNS query patterns can forge DNS responses to redirect traffic or execute man-in-the-middle attacks. Vendor-released patches available; no public exploit code or active exploitation confirmed.

Technical ContextAI

The Erlang/OTP built-in DNS resolver (inet_res module in lib/kernel/src) implements RFC 1035 DNS over UDP but violates RFC 5452 mitigations against forged DNS answers. The vulnerability stems from CWE-340 (Generation of Predictable Numbers or Identifiers) in the transaction ID generation mechanism. Instead of randomizing both the 16-bit transaction ID (query ID) and the source UDP port - the two primary defenses against DNS spoofing - inet_res generates a process-global sequential transaction ID that is trivially predictable. Response validation relies almost entirely on matching this ID, leaving systems vulnerable if an attacker can observe a single query (to learn the current ID sequence) or predict the next transaction ID. The inet_res resolver was designed for trusted network environments with trusted recursive resolvers, but earlier documentation did not clearly communicate this deployment constraint, potentially leading to unsafe deployments in Internet-facing or untrusted-network scenarios.

RemediationAI

Upgrade Erlang/OTP to patched versions: OTP 28.4.2 or later, OTP 27.3.4.10 or later, or OTP 26.2.5.19 or later. Vendor-released patches are available via the commits listed at https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839a5, https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad9fd, and https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8. For deployments unable to immediately upgrade, mitigate by restricting inet_res use to trusted network segments with trusted recursive DNS resolvers only, or replacing inet_res with an external DNS resolver (e.g., systemd-resolved or OS-native resolver). Review https://www.erlang.org/doc/system/versions.html#order-of-versions for release timeline and patching paths.

More in Otp

View all
CVE-2022-24584 MEDIUM POC
6.5 May 11

Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation

CVE-2026-49759 HIGH
8.8 Jun 10

Denial of service in Erlang/OTP erts (inet_drv SCTP handler) lets unauthenticated remote attackers crash the BEAM VM by

CVE-2026-55950 HIGH
8.7 Jul 02

Remote denial of service in Erlang/OTP's ssl application (dtls_packet_demux module) lets an unauthenticated attacker cra

CVE-2026-28808 HIGH
8.3 Apr 07

Authorization bypass in Erlang OTP's inets HTTP server allows unanauthenticated remote attackers to execute CGI scripts

CVE-2026-55952 HIGH
8.2 Jul 02

Denial of service in the Erlang/OTP ssl application (OTP 22.2 through 29.0.3, and the 28.5.x/27.3.x maintenance branches

CVE-2026-32144 HIGH
7.6 Apr 07

Erlang OTP public_key module (versions 1.16 through 1.20.3 and 1.17.1.2) fails to cryptographically verify OCSP responde

CVE-2026-48860 HIGH
7.5 Jun 10

Authentication bypass in Erlang/OTP's TLS distribution module (inet_tls_dist) lets any attacker holding a TLS certificat

CVE-2026-48856 HIGH
7.1 Jun 10

Credential leakage in Erlang/OTP's inets httpc client (versions 17.0 through 29.0.2, 28.5.0.2, and 27.3.4.13) allows att

CVE-2026-49760 MEDIUM
6.9 Jun 10

Stack-based buffer overflow in Erlang OTP's erl_interface C library (`ei_s_print_term`) crashes processes when decoding

CVE-2026-54887 MEDIUM
6.3 Jul 02

The DTLS server in Erlang/OTP ssl initializes its cookie secret to a hardcoded empty binary on startup, making HMAC-base

CVE-2026-48859 MEDIUM
6.3 Jun 10

Username enumeration via timing side-channel in Erlang/OTP SSH daemon (OTP 29.0-29.0.1) allows unauthenticated remote at

CVE-2026-54891 MEDIUM
6.3 Jul 02

Blind plaintext injection into Erlang/OTP TLS clients allows a network-positioned attacker to insert unauthenticated APP

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-28810 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy