Skip to main content

Erlang/OTP CVE-2026-49759

| EUVD-2026-36053 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-06-10 EEF
Denial Of Service Buffer Overflow Stack Overflow
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 10, 2026 - 16:33 vuln.today
Analysis Generated
Jun 10, 2026 - 16:33 vuln.today
CVSS changed
Jun 10, 2026 - 16:22 NVD
8.8 (HIGH)

DescriptionNVD

Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk.

The sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service.

A crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited.

This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2.

AnalysisAI

Denial of service in Erlang/OTP erts (inet_drv SCTP handler) lets unauthenticated remote attackers crash the BEAM VM by sending a single crafted SCTP ERROR chunk to a listening SCTP port. The flaw is a stack-based buffer overflow (CWE-121) in sctp_parse_error_chunk, with the publicly disclosed advisory from the Erlang Ecosystem Foundation (EEF) and an upstream commit confirming the fix; no public exploit identified at time of analysis, and the overflow only permits writing 16-bit values interleaved with a fixed tag, limiting impact to DoS plus minor memory disclosure.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify SCTP listener on OTP node
Delivery
Establish SCTP association to target port
Exploit
Send crafted SCTP ERROR chunk with excess cause codes
Execution
Overflow spec[] stack array in sctp_parse_error_chunk
Impact
Crash BEAM VM and induce service outage
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target must be running Erlang/OTP in the vulnerable range (OTP 17.0 through pre-27.3.4.13 / pre-28.5.0.2 / pre-29.0.2) and must have an SCTP listener bound via the inet driver (gen_sctp or equivalent) - TCP/UDP-only OTP deployments are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N reports network-reachable, low-complexity, unauthenticated exploitation with high availability impact (VA:H) but only low confidentiality impact (VC:L) and no integrity impact (VI:N) - consistent with a DoS-plus-limited-memory-leak primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reachable on the network establishes an SCTP association to a vulnerable Erlang/OTP service (for example, a telecom signaling node or any application using gen_sctp on a listening port), then sends a single crafted SCTP ERROR chunk containing enough cause codes to overflow the fixed-size spec[] stack array inside sctp_parse_error_chunk, crashing the BEAM VM and taking the service offline. Repeated invocations against an auto-restarted node produce a sustained outage; no public exploit is identified at time of analysis, but the patch diff plus the description of the overflow primitive provide a clear blueprint for one. …
Remediation Vendor-released patches are available: upgrade to Erlang/OTP 27.3.4.13, 28.5.0.2, or 29.0.2 (or later) per the GHSA-6f4f-chj5-5g97 advisory, with the upstream fix in commit 3983d495284331c121f600a80bac9fcf4e16381e. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all production systems running Erlang/OTP; consult the Erlang Ecosystem Foundation security advisory for CVE-2026-49759 to determine affected versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49759 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy