EUVD-2026-36052Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.
This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term.
The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service.
The companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug.
This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.
AnalysisAI
Stack-based buffer overflow in Erlang OTP's erl_interface C library (ei_s_print_term) crashes processes when decoding Erlang terms containing very large integers, causing Denial of Service. Affected OTP releases span from 17.0 through unfixed branches of 27.x, 28.x, and 29.x, making this a wide-ranging availability risk for C-language nodes that interface with the Erlang runtime. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses `ei_s_print_term` (not `ei_print_term`, which is unaffected) from the erl_interface library to format Erlang terms sourced from an untrusted or attacker-controlled input. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 with attack vector LOCAL (AV:L/AC:L/AT:N/PR:N/UI:N) indicates that a triggering process must locally supply a malformed ETF-encoded term to the vulnerable function - either directly within the process or via a peer node delivering an ETF message. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker or a malicious peer C/Erlang node accepted by the target application crafts an ETF-encoded message containing an arbitrarily large bignum integer - for example, a value whose decimal string representation is 3000 characters long. When the receiving C application calls `ei_s_print_term` to format this term (e.g., for logging or display), the internal 2000-byte stack buffer overflows with hex-digit bytes, corrupting the stack frame and crashing the process. … |
| Remediation | Upgrade to a patched Erlang OTP release: 27.3.4.13, 28.5.0.2, or 29.0.2 (corresponding to erl_interface 5.5.2.1, 5.7.0.1, or 5.8.1 respectively), as confirmed by the vendor advisory at https://github.com/erlang/otp/security/advisories/GHSA-xcxj-5pg2-v72j. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today