[From nobody Fri Jun 12 19:21:09 2026
Received: (at submit) by bugs.debian.org; 12 Jun 2026 04:22:07 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.9 required=4.0 tests=BAYES_00, FOURLA,
 FROMDEVELOPER, 
 NO_RELAYS,XMAILER_REPORTBUG autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 104; hammy, 150; neutral, 402; spammy,
 0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
 0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--HTo:N*Debian,
 0.000-+--H*Ad:N*Bug
Return-path: <carnil@debian.org>
Received: via submission by buxtehude.debian.org with esmtp (Exim 4.96)
 (envelope-from <carnil@debian.org>) id 1wXtPD-002K8W-17
 for submit@bugs.debian.org; Fri, 12 Jun 2026 04:22:07 +0000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: erlang: CVE-2026-48855 CVE-2026-48856 CVE-2026-48858 CVE-2026-48860
 CVE-2026-49759 CVE-2026-49760
Message-ID: <178123812624.3622977.17229340980976468345.reportbug@eldamar.lan>
X-Mailer: reportbug 13.2.0
Date: Fri, 12 Jun 2026 06:22:06 +0200
Delivered-To: submit@bugs.debian.org

Source: erlang
Version: 1:27.3.4.12+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for erlang.

CVE-2026-48855[0]:
| Exposure of Sensitive Information to an Unauthorized Actor
| vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File
| Discovery.  The SSH_FXP_READLINK handler in ssh_sftpd sends the raw
| result of file:read_link/2 to the client without calling
| chroot_filename/2 to strip the backend root prefix. An authenticated
| SFTP client can create a symlink inside the chroot pointing to /;
| ssh_sftpd resolves the target to the absolute backend root and
| stores it on disk. Reading the symlink back via SSH_FXP_READLINK
| returns that absolute path, for example /data/sftp, instead of the
| chrooted value /.  The information disclosed is the absolute
| filesystem path of the SFTP root directory and of any symlink
| targets within it. No file contents, credentials, or access to paths
| outside the root directory are obtainable through this issue alone.
| This vulnerability is associated with program files
| lib/ssh/src/ssh_sftpd.erl.  This issue affects OTP from OTP 17.0
| before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from
| 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.


CVE-2026-48856[1]:
| Sensitive Data Exposure vulnerability in Erlang OTP inets
| (httpc_response module) allows Retrieve Embedded Sensitive Data.
| The httpc client forwards the Authorization and Proxy-Authorization
| request headers to redirect targets without checking whether the
| redirect crosses an origin boundary. httpc_response:redirect/2
| constructs the redirected request by updating only the host field of
| the header record; all other fields (including authorization and
| proxy_authorization) are copied verbatim. The redirect target host
| is never compared against the original host.  autoredirect defaults
| to true, so this affects all httpc callers that do not explicitly
| disable automatic redirects.  An attacker who controls a server that
| the victim contacts via httpc can issue a cross-origin 3xx redirect
| to a server they also control. The Authorization header (including
| Basic credentials derived from URL userinfo via
| httpc_request:handle_user_info/2) is forwarded to the redirect
| target, allowing credential theft. The same applies to the Proxy-
| Authorization header.  This vulnerability is associated with program
| files lib/inets/src/http_client/httpc_response.erl.  This issue
| affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13
| corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.


CVE-2026-48858[2]:
| Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp
| (ftp_internal module) allows FTP bounce attacks and SSRF via an
| unvalidated PASV response IP address.  The
| ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive,
| ipfamily=inet, ftp_extension=false) extracts the IP address from the
| server's 227 response and passes it directly to gen_tcp:connect/4
| without validating it against the control connection peer address.
| The adjacent EPSV handlers correctly call peername(CSock) to derive
| the IP from the control connection, but the PASV handler does not. A
| malicious or compromised FTP server can redirect the client's data
| connection to an arbitrary internal host and port. On read
| operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the
| redirected target is returned to the caller. On write operations
| (ftp:send/2,3, ftp:append/2,3), file content is sent to the
| redirected target. This enables SSRF against internal hosts, cloud
| metadata endpoints, and FTP bounce attacks against third-party
| hosts.  The vulnerable path is the default configuration
| (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section
| 3 explicitly recommends validating the PASV response IP against the
| control connection peer.  The ftp application is deprecated and
| scheduled for removal in OTP-30.  This vulnerability is associated
| with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4
| through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl
| (ftp 1.0 and later, OTP 21.0 and later).  This issue affects OTP
| from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to
| inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1
| and 1.2.3.1.


CVE-2026-48860[3]:
| Reliance on IP Address for Authentication vulnerability in
| Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass
| of the distribution-over-TLS LAN allowlist.  The
| inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist
| for Erlang distribution over TLS, calls inet:sockname/1 instead of
| inet:peername/1 to obtain the peer's IP address. Because
| inet:sockname/1 returns the local socket address, both the local IP
| and the supposed peer IP resolve to the same value, causing the
| subnet mask comparison to always succeed regardless of the actual
| remote address. Any holder of a CA-signed TLS certificate can
| therefore bypass the LAN restriction and gain full Erlang
| distribution access to the node, including rpc:call/4 and
| code:load_binary/3.  This vulnerability is associated with program
| file lib/ssl/src/inet_tls_dist.erl.  This issue affects OTP from OTP
| 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from
| 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.


CVE-2026-49759[4]:
| Stack-based Buffer Overflow vulnerability in Erlang OTP erts
| (inet_drv) allows an unauthenticated remote attacker to crash the
| BEAM VM by sending a crafted SCTP ERROR chunk.  The
| sctp_parse_error_chunk function in
| erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and
| writes cause codes into a fixed-size stack-allocated ErlDrvTermData
| spec[] array without checking bounds. A remote attacker who has
| established an SCTP association to a listening port can send a
| single crafted SCTP ERROR chunk containing enough cause codes to
| overflow the stack buffer, crashing the VM. The attacker can only
| write 16-bit values interleaved with a fixed tag, so the overflow
| does not provide a controlled return address, limiting exploitation
| to Denial of Service.  A crafted SCTP ERROR chunk may also leak bits
| and pieces of Erlang VM memory into the received error packet
| observed by the Erlang process. Such data is already readable by the
| user running the Erlang VM, so the disclosure scope is limited.
| This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and
| 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and
| 17.0.2.


CVE-2026-49760[5]:
| Stack-based Buffer Overflow vulnerability in Erlang OTP
| (erl_interface) allows Stack-based Buffer Overflow.  This
| vulnerability is associated with program file
| lib/erl_interface/src/misc/ei_printterm.c and program routine
| ei_s_print_term.  The C function ei_s_print_term uses an internal
| 2000-character stack buffer to format terms. When called with an
| encoded Erlang term containing a very large integer (encoded
| representation exceeding 2000 characters), the buffer overflows. The
| overflow bytes are restricted to the ASCII values of 0-9 and A-F,
| which limits exploitation to Denial of Service.  The companion
| function ei_print_term, which prints directly to a FILE instead of a
| memory buffer, does not contain this bug.  This issue affects OTP
| from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding
| to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-48855
    https://www.cve.org/CVERecord?id=CVE-2026-48855
[1] https://security-tracker.debian.org/tracker/CVE-2026-48856
    https://www.cve.org/CVERecord?id=CVE-2026-48856
[2] https://security-tracker.debian.org/tracker/CVE-2026-48858
    https://www.cve.org/CVERecord?id=CVE-2026-48858
[3] https://security-tracker.debian.org/tracker/CVE-2026-48860
    https://www.cve.org/CVERecord?id=CVE-2026-48860
[4] https://security-tracker.debian.org/tracker/CVE-2026-49759
    https://www.cve.org/CVERecord?id=CVE-2026-49759
[5] https://security-tracker.debian.org/tracker/CVE-2026-49760
    https://www.cve.org/CVERecord?id=CVE-2026-49760

Regards,
Salvatore
]