Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0783
Vulnerability from certfr_avis - Published: 2026-06-19 - Updated: 2026-06-19
De multiples vulnérabilités ont été découvertes dans Microsoft Azure. Elles permettent à un attaquant de provoquer une élévation de privilèges et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | N/A | azl3 erlang 26.2.5.20-1 versions antérieures à 26.2.5.21-2 | ||
| Microsoft | N/A | azl3 python-pip 24.2-8 versions antérieures à 24.2-9 | ||
| Microsoft | N/A | azl3 edk2 20240524git3e722403cd16-17 versions antérieures à 20240524git3e722403cd16-18 | ||
| Microsoft | N/A | azl3 qemu 9.1.0-7 versions antérieures à 9.1.0-8 | ||
| Microsoft | N/A | azl3 opensc 0.27.1-1 versions antérieures à 0.27.1-2 | ||
| Microsoft | N/A | azl3 kernel 6.6.139.1-1 versions antérieures à 6.6.141.1-1 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 erlang 26.2.5.20-1 versions ant\u00e9rieures \u00e0 26.2.5.21-2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 python-pip 24.2-8 versions ant\u00e9rieures \u00e0 24.2-9",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 edk2 20240524git3e722403cd16-17 versions ant\u00e9rieures \u00e0 20240524git3e722403cd16-18",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 qemu 9.1.0-7 versions ant\u00e9rieures \u00e0 9.1.0-8",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 opensc 0.27.1-1 versions ant\u00e9rieures \u00e0 0.27.1-2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 kernel 6.6.139.1-1 versions ant\u00e9rieures \u00e0 6.6.141.1-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-46307",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46307"
},
{
"name": "CVE-2026-34180",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34180"
},
{
"name": "CVE-2026-42766",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42766"
},
{
"name": "CVE-2026-49760",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-49760"
},
{
"name": "CVE-2026-9076",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9076"
},
{
"name": "CVE-2026-46319",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46319"
},
{
"name": "CVE-2026-46280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46280"
},
{
"name": "CVE-2026-46287",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46287"
},
{
"name": "CVE-2026-46303",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46303"
},
{
"name": "CVE-2026-45445",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45445"
},
{
"name": "CVE-2026-10275",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-10275"
},
{
"name": "CVE-2026-7383",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7383"
},
{
"name": "CVE-2026-48858",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48858"
},
{
"name": "CVE-2026-49759",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-49759"
},
{
"name": "CVE-2026-48855",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48855"
},
{
"name": "CVE-2026-46296",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46296"
},
{
"name": "CVE-2026-46293",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46293"
},
{
"name": "CVE-2026-46301",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46301"
},
{
"name": "CVE-2026-46289",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46289"
},
{
"name": "CVE-2026-46285",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46285"
},
{
"name": "CVE-2026-45447",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45447"
},
{
"name": "CVE-2026-48856",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48856"
},
{
"name": "CVE-2026-46291",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46291"
},
{
"name": "CVE-2026-46312",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46312"
},
{
"name": "CVE-2026-46274",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46274"
},
{
"name": "CVE-2026-46292",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46292"
},
{
"name": "CVE-2026-42767",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42767"
},
{
"name": "CVE-2026-48914",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48914"
},
{
"name": "CVE-2026-48860",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48860"
},
{
"name": "CVE-2026-8643",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8643"
},
{
"name": "CVE-2026-46306",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46306"
},
{
"name": "CVE-2026-46299",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46299"
},
{
"name": "CVE-2026-46304",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46304"
}
],
"initial_release_date": "2026-06-19T00:00:00",
"last_revision_date": "2026-06-19T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0783",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Microsoft Azure. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Azure",
"vendor_advisories": [
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-42766",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42766"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46280",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46280"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-42767",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42767"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-45447",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45447"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-45445",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45445"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-49759",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49759"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46307",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46307"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46291",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46291"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46301",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46301"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46303",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46303"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46306",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46306"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48856",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48856"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46287",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46287"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48860",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48860"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-34180",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34180"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46292",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46292"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46285",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46285"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46312",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46312"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-49760",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49760"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46319",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46319"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46293",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46293"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48914",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48914"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-7383",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7383"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46296",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46296"
},
{
"published_at": "2026-06-13",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-9076",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-9076"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46274",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46274"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48855",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48855"
},
{
"published_at": "2026-06-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-10275",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10275"
},
{
"published_at": "2026-06-04",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-8643",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8643"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-48858",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48858"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46289",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46289"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46299",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46299"
},
{
"published_at": "2026-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-46304",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46304"
}
]
}
CVE-2026-46307 (GCVE-0-2026-46307)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:08
VLAI
EPSS
Title
wifi: ath5k: do not access array OOB
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath5k: do not access array OOB
Vincent reports:
> The ath5k driver seems to do an array-index-out-of-bounds access as
> shown by the UBSAN kernel message:
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20
> index 4 is out of range for type 'ieee80211_tx_rate [4]'
> ...
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x80
> ubsan_epilogue+0x5/0x2b
> __ubsan_handle_out_of_bounds.cold+0x46/0x4b
> ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
> tasklet_action_common+0xb5/0x1c0
It is real. 'ts->ts_final_idx' can be 3 on 5212, so:
info->status.rates[ts->ts_final_idx + 1].idx = -1;
with the array defined as:
struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
while the size is:
#define IEEE80211_TX_MAX_RATES 4
is indeed bogus.
Set this 'idx = -1' sentinel only if the array index is less than the
array size. As mac80211 will not look at rates beyond the size
(IEEE80211_TX_MAX_RATES).
Note: The effect of the OOB write is negligible. It just overwrites the
next member of info->status, i.e. ack_signal.
Severity
8.3 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/ecb1c163166759dec… | |
| https://git.kernel.org/stable/c/9dd6aae4bc7bfa110… | |
| https://git.kernel.org/stable/c/744c19e266b0d2628… | |
| https://git.kernel.org/stable/c/83226c71af53fb9b3… | |
| https://git.kernel.org/stable/c/d6869537013b1f21b… | |
| https://git.kernel.org/stable/c/e9f1081bc77514615… | |
| https://git.kernel.org/stable/c/568173ad9bd0b46cc… | |
| https://git.kernel.org/stable/c/d748603f12baff112… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6d7b97b23e114c8fbb825e6721164d228c1af3fc , < ecb1c163166759dec004c1fdb9709b8a5992fc8e
(git)
Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 9dd6aae4bc7bfa11088d928670a3315eae542769 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 744c19e266b0d2628c5951439195dcef27eadacf (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 83226c71af53fb9b3cad40cb9a9a79f36d68c020 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < d6869537013b1f21b292342752d97868b79b5934 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < e9f1081bc775146156def0dbc821b92f35d56afb (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 568173ad9bd0b46cc6cd937dea8791e9b5eefa57 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < d748603f12baff112caa3ab7d39f50100f010dbd (git) |
|
| Linux | Linux |
Affected:
3.0
Unaffected: 0 , < 3.0 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath5k/base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ecb1c163166759dec004c1fdb9709b8a5992fc8e",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "9dd6aae4bc7bfa11088d928670a3315eae542769",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "744c19e266b0d2628c5951439195dcef27eadacf",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "83226c71af53fb9b3cad40cb9a9a79f36d68c020",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "d6869537013b1f21b292342752d97868b79b5934",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "e9f1081bc775146156def0dbc821b92f35d56afb",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "568173ad9bd0b46cc6cd937dea8791e9b5eefa57",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "d748603f12baff112caa3ab7d39f50100f010dbd",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath5k/base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath5k: do not access array OOB\n\nVincent reports:\n\u003e The ath5k driver seems to do an array-index-out-of-bounds access as\n\u003e shown by the UBSAN kernel message:\n\u003e UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20\n\u003e index 4 is out of range for type \u0027ieee80211_tx_rate [4]\u0027\n\u003e ...\n\u003e Call Trace:\n\u003e \u003cTASK\u003e\n\u003e dump_stack_lvl+0x5d/0x80\n\u003e ubsan_epilogue+0x5/0x2b\n\u003e __ubsan_handle_out_of_bounds.cold+0x46/0x4b\n\u003e ath5k_tasklet_tx+0x4e0/0x560 [ath5k]\n\u003e tasklet_action_common+0xb5/0x1c0\n\nIt is real. \u0027ts-\u003ets_final_idx\u0027 can be 3 on 5212, so:\n info-\u003estatus.rates[ts-\u003ets_final_idx + 1].idx = -1;\nwith the array defined as:\n struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];\nwhile the size is:\n #define IEEE80211_TX_MAX_RATES 4\nis indeed bogus.\n\nSet this \u0027idx = -1\u0027 sentinel only if the array index is less than the\narray size. As mac80211 will not look at rates beyond the size\n(IEEE80211_TX_MAX_RATES).\n\nNote: The effect of the OOB write is negligible. It just overwrites the\nnext member of info-\u003estatus, i.e. ack_signal."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:05.377Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ecb1c163166759dec004c1fdb9709b8a5992fc8e"
},
{
"url": "https://git.kernel.org/stable/c/9dd6aae4bc7bfa11088d928670a3315eae542769"
},
{
"url": "https://git.kernel.org/stable/c/744c19e266b0d2628c5951439195dcef27eadacf"
},
{
"url": "https://git.kernel.org/stable/c/83226c71af53fb9b3cad40cb9a9a79f36d68c020"
},
{
"url": "https://git.kernel.org/stable/c/d6869537013b1f21b292342752d97868b79b5934"
},
{
"url": "https://git.kernel.org/stable/c/e9f1081bc775146156def0dbc821b92f35d56afb"
},
{
"url": "https://git.kernel.org/stable/c/568173ad9bd0b46cc6cd937dea8791e9b5eefa57"
},
{
"url": "https://git.kernel.org/stable/c/d748603f12baff112caa3ab7d39f50100f010dbd"
}
],
"title": "wifi: ath5k: do not access array OOB",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46307",
"datePublished": "2026-06-08T15:46:35.059Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-14T18:08:05.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46312 (GCVE-0-2026-46312)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:50 – Updated: 2026-06-14 18:08
VLAI
EPSS
Title
media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
vb2_dma_contig sets VMA flags VM_DONTEXPAND and VM_DONTDUMP and I do not
see a reason why vb2_dma_sg should behave differently. This avoids
hitting `WARN_ON(!(vma->vm_flags & VM_DONTEXPAND));` in
drm_gem_mmap_obj() during mmap() of an imported dma-buf from the out of
tree Apple ISP camera capture driver which uses vb2_dma_sg_memops.
gst-launch-1.0 v4l2src ! gtk4paintablesink
[ 38.201528] ------------[ cut here ]------------
[ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drm_gem.c:1144 drm_gem_mmap_obj+0x1f8/0x210
[ 38.203278] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer
snd_seq snd_seq_device uinput nf_conntrack_netbios_ns
nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib
nft_reject_inet nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat
nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr bnep
nls_ascii i2c_dev loop fuse dm_multipath nfnetlink brcmfmac_wcc
hid_magicmouse hci_bcm4377 brcmfmac brcmutil bluetooth ecdh_generic
cfg80211 ecc btrfs xor xor_neon rfkill hid_apple raid6_pq joydev
aop_als apple_nvmem_spmi industrialio snd_soc_aop apple_z2
snd_soc_cs42l84 tps6598x snd_soc_tas2764 macsmc_reboot spi_nor
macsmc_hwmon rtc_macsmc gpio_macsmc macsmc_power regmap_spmi
macsmc_input dockchannel_hid panel_summit appledrm nvme_apple dwc3
snd_soc_macaudio drm_client_lib nvme_core phy_apple_atc hwmon
apple_sart apple_dockchannel macsmc apple_rtkit_helper
spmi_apple_controller aop apple_wdt mfd_core nvmem_apple_efuses
pinctrl_apple_gpio apple_isp apple_dcp videobuf2_dma_sg mux_core
spi_apple
[ 38.203300] videobuf2_memops i2c_pasemi_platform snd_soc_apple_mca videobuf2_v4l2 videodev clk_apple_nco videobuf2_common snd_pcm_dmaengine adpdrm asahi apple_admac adpdrm_mipi drm_dma_helper pwm_apple i2c_pasemi_core drm_display_helper mc cec apple_dart ofpart apple_soc_cpufreq leds_pwm phram
[ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full)
[ 38.219040] Tainted: [W]=WARN
[ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)
[ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 38.221088] pc : drm_gem_mmap_obj+0x1f8/0x210
[ 38.221643] lr : drm_gem_mmap_obj+0x78/0x210
[ 38.222178] sp : ffffc0008dc678e0
[ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480
[ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968
[ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0
[ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968
[ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8
[ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff
[ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8
[ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000
[ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038
[ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb
[ 38.231488] Call trace:
[ 38.231806] drm_gem_mmap_obj+0x1f8/0x210 (P)
[ 38.232342] drm_gem_mmap+0x140/0x260
[ 38.232813] __mmap_region+0x488/0x9a0
[ 38.233277] mmap_region+0xd0/0x148
[ 38.233703] do_mmap+0x350/0x5c0
[ 38.234148] vm_mmap_pgoff+0x14c/0x200
[ 38.234612] ksys_mmap_pgoff+0x150/0x208
[ 38.235107] __arm64_sys_mmap+0x34/0x50
[ 38.235611] invoke_syscall+0x50/0x120
[ 38.236075] el0_svc_common.constprop.0+0x48/0xf0
[ 38.236680] do_el0_svc+0x24/0x38
[ 38.237113] el0_svc+0x38/0x168
[ 38.237507] el0t_64_sync_handler+0xa0/0xe8
[ 38.238034] el0t_64_sync+0x198/0x1a0
[ 38.238491] ---[ end trace 0000000000000000 ]---
There were discussions in [1] at the end of 2023 that mmap() on imported
---truncated---
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5ba3f757f0592ca001266b4a6214d0332349909c , < feb17524aa4ec337749344be0db52b88663e25ab
(git)
Affected: 5ba3f757f0592ca001266b4a6214d0332349909c , < 1a1360264f699521e001e7739009ee3ee3c6a4f5 (git) Affected: 5ba3f757f0592ca001266b4a6214d0332349909c , < 21fade52ab9fb13368a5709e60b0d9909197aeae (git) Affected: 5ba3f757f0592ca001266b4a6214d0332349909c , < b4cf91658a636618f1437beec971dec25dec28eb (git) Affected: 5ba3f757f0592ca001266b4a6214d0332349909c , < 7254b31a13aaa0c2c0f9ffbc335b718656117ff4 (git) |
|
| Linux | Linux |
Affected:
2.6.39
Unaffected: 0 , < 2.6.39 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/common/videobuf2/videobuf2-dma-sg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "feb17524aa4ec337749344be0db52b88663e25ab",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
},
{
"lessThan": "1a1360264f699521e001e7739009ee3ee3c6a4f5",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
},
{
"lessThan": "21fade52ab9fb13368a5709e60b0d9909197aeae",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
},
{
"lessThan": "b4cf91658a636618f1437beec971dec25dec28eb",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
},
{
"lessThan": "7254b31a13aaa0c2c0f9ffbc335b718656117ff4",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/common/videobuf2/videobuf2-dma-sg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: videobuf2: Set vma_flags in vb2_dma_sg_mmap\n\nvb2_dma_contig sets VMA flags VM_DONTEXPAND and VM_DONTDUMP and I do not\nsee a reason why vb2_dma_sg should behave differently. This avoids\nhitting `WARN_ON(!(vma-\u003evm_flags \u0026 VM_DONTEXPAND));` in\ndrm_gem_mmap_obj() during mmap() of an imported dma-buf from the out of\ntree Apple ISP camera capture driver which uses vb2_dma_sg_memops.\n\ngst-launch-1.0 v4l2src ! gtk4paintablesink\n\n[ 38.201528] ------------[ cut here ]------------\n[ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drm_gem.c:1144 drm_gem_mmap_obj+0x1f8/0x210\n[ 38.203278] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer\nsnd_seq snd_seq_device uinput nf_conntrack_netbios_ns\nnf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib\nnft_reject_inet nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat\nnf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr bnep\nnls_ascii i2c_dev loop fuse dm_multipath nfnetlink brcmfmac_wcc\nhid_magicmouse hci_bcm4377 brcmfmac brcmutil bluetooth ecdh_generic\ncfg80211 ecc btrfs xor xor_neon rfkill hid_apple raid6_pq joydev\naop_als apple_nvmem_spmi industrialio snd_soc_aop apple_z2\nsnd_soc_cs42l84 tps6598x snd_soc_tas2764 macsmc_reboot spi_nor\nmacsmc_hwmon rtc_macsmc gpio_macsmc macsmc_power regmap_spmi\nmacsmc_input dockchannel_hid panel_summit appledrm nvme_apple dwc3\nsnd_soc_macaudio drm_client_lib nvme_core phy_apple_atc hwmon\napple_sart apple_dockchannel macsmc apple_rtkit_helper\nspmi_apple_controller aop apple_wdt mfd_core nvmem_apple_efuses\npinctrl_apple_gpio apple_isp apple_dcp videobuf2_dma_sg mux_core\nspi_apple\n[ 38.203300] videobuf2_memops i2c_pasemi_platform snd_soc_apple_mca videobuf2_v4l2 videodev clk_apple_nco videobuf2_common snd_pcm_dmaengine adpdrm asahi apple_admac adpdrm_mipi drm_dma_helper pwm_apple i2c_pasemi_core drm_display_helper mc cec apple_dart ofpart apple_soc_cpufreq leds_pwm phram\n[ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full)\n[ 38.219040] Tainted: [W]=WARN\n[ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)\n[ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 38.221088] pc : drm_gem_mmap_obj+0x1f8/0x210\n[ 38.221643] lr : drm_gem_mmap_obj+0x78/0x210\n[ 38.222178] sp : ffffc0008dc678e0\n[ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480\n[ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968\n[ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0\n[ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968\n[ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8\n[ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff\n[ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8\n[ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000\n[ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038\n[ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb\n[ 38.231488] Call trace:\n[ 38.231806] drm_gem_mmap_obj+0x1f8/0x210 (P)\n[ 38.232342] drm_gem_mmap+0x140/0x260\n[ 38.232813] __mmap_region+0x488/0x9a0\n[ 38.233277] mmap_region+0xd0/0x148\n[ 38.233703] do_mmap+0x350/0x5c0\n[ 38.234148] vm_mmap_pgoff+0x14c/0x200\n[ 38.234612] ksys_mmap_pgoff+0x150/0x208\n[ 38.235107] __arm64_sys_mmap+0x34/0x50\n[ 38.235611] invoke_syscall+0x50/0x120\n[ 38.236075] el0_svc_common.constprop.0+0x48/0xf0\n[ 38.236680] do_el0_svc+0x24/0x38\n[ 38.237113] el0_svc+0x38/0x168\n[ 38.237507] el0t_64_sync_handler+0xa0/0xe8\n[ 38.238034] el0t_64_sync+0x198/0x1a0\n[ 38.238491] ---[ end trace 0000000000000000 ]---\n\nThere were discussions in [1] at the end of 2023 that mmap() on imported\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:26.067Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/feb17524aa4ec337749344be0db52b88663e25ab"
},
{
"url": "https://git.kernel.org/stable/c/1a1360264f699521e001e7739009ee3ee3c6a4f5"
},
{
"url": "https://git.kernel.org/stable/c/21fade52ab9fb13368a5709e60b0d9909197aeae"
},
{
"url": "https://git.kernel.org/stable/c/b4cf91658a636618f1437beec971dec25dec28eb"
},
{
"url": "https://git.kernel.org/stable/c/7254b31a13aaa0c2c0f9ffbc335b718656117ff4"
}
],
"title": "media: videobuf2: Set vma_flags in vb2_dma_sg_mmap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46312",
"datePublished": "2026-06-08T15:50:42.964Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-14T18:08:26.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46319 (GCVE-0-2026-46319)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-14 18:08
VLAI
EPSS
Title
net/sched: act_ct: Only release RCU read lock after ct_ft
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_ct: Only release RCU read lock after ct_ft
When looking up a flow table in act_ct in tcf_ct_flow_table_get(),
rhashtable_lookup_fast() internally opens and closes an RCU read critical
section before returning ct_ft.
The tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero()
is invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft
object. This vulnerability can lead to privilege escalation.
Analysis from zdi-disclosures@trendmicro.com:
When initializing act_ct, tcf_ct_init() is called, which internally triggers
tcf_ct_flow_table_get().
static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
{
struct zones_ht_key key = { .net = net, .zone = params->zone };
struct tcf_ct_flow_table *ct_ft;
int err = -ENOMEM;
mutex_lock(&zones_mutex);
ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params); // [1]
if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) // [2]
goto out_unlock;
...
}
static __always_inline void *rhashtable_lookup_fast(
struct rhashtable *ht, const void *key,
const struct rhashtable_params params)
{
void *obj;
rcu_read_lock();
obj = rhashtable_lookup(ht, key, params);
rcu_read_unlock();
return obj;
}
At [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft
from zones_ht . The lookup is performed within an RCU read critical section
through rcu_read_lock() / rcu_read_unlock(), which prevents the object from
being freed. However, at the point of function return, rcu_read_unlock() has
already been called, and there is nothing preventing ct_ft from being freed
before reaching refcount_inc_not_zero(&ct_ft->ref) at [2]. This interval becomes
the race window, during which ct_ft can be freed.
Free Process:
tcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu()
tcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put().
static void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft)
{
if (refcount_dec_and_test(&ct_ft->ref)) {
rhashtable_remove_fast(&zones_ht, &ct_ft->node, zones_params);
INIT_RCU_WORK(&ct_ft->rwork, tcf_ct_flow_table_cleanup_work); // [3]
queue_rcu_work(act_ct_wq, &ct_ft->rwork);
}
}
At [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work
static void tcf_ct_flow_table_cleanup_work(struct work_struct *work)
{
struct tcf_ct_flow_table *ct_ft;
struct flow_block *block;
ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,
rwork);
nf_flow_table_free(&ct_ft->nf_ft);
block = &ct_ft->nf_ft.flow_block;
down_write(&ct_ft->nf_ft.flow_block_lock);
WARN_ON(!list_empty(&block->cb_list));
up_write(&ct_ft->nf_ft.flow_block_lock);
kfree(ct_ft); // [4]
module_put(THIS_MODULE);
}
tcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes
between [1] and [2], UAF occurs.
This race condition has a very short race window, making it generally
difficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was
inserted after[1]
Severity
7.8 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/ece578ca61e572df9… | |
| https://git.kernel.org/stable/c/a2e0c045c87aa252e… | |
| https://git.kernel.org/stable/c/67c9ecc9f2575273e… | |
| https://git.kernel.org/stable/c/f23424a0ddadb494d… | |
| https://git.kernel.org/stable/c/17dfb67cb399b6601… | |
| https://git.kernel.org/stable/c/4c727c6967a41b37e… | |
| https://git.kernel.org/stable/c/3e20e1b3058e0b946… | |
| https://git.kernel.org/stable/c/f462dca0c8415bf00… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
138470a9b2cc2e26e6018300394afc3858a54e6a , < ece578ca61e572df96cfc80456357ebfae0b4b9e
(git)
Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < a2e0c045c87aa252eb61412e67dd91f2c2b19f81 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 67c9ecc9f2575273ed1323e312881fc98ac83d6d (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < f23424a0ddadb494d4bd57056a7ca703312d3a7b (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 17dfb67cb399b660105d9a8c6100851c0d0cdc70 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 4c727c6967a41b37efe0f26332ca9ec5b74785a3 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 3e20e1b3058e0b94638e7b931c138e840e266724 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < f462dca0c8415bf0058d0ffa476354c4476d0f09 (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ece578ca61e572df96cfc80456357ebfae0b4b9e",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "a2e0c045c87aa252eb61412e67dd91f2c2b19f81",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "67c9ecc9f2575273ed1323e312881fc98ac83d6d",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "f23424a0ddadb494d4bd57056a7ca703312d3a7b",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "17dfb67cb399b660105d9a8c6100851c0d0cdc70",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "4c727c6967a41b37efe0f26332ca9ec5b74785a3",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "3e20e1b3058e0b94638e7b931c138e840e266724",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "f462dca0c8415bf0058d0ffa476354c4476d0f09",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: Only release RCU read lock after ct_ft\n\nWhen looking up a flow table in act_ct in tcf_ct_flow_table_get(),\nrhashtable_lookup_fast() internally opens and closes an RCU read critical\nsection before returning ct_ft.\nThe tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero()\nis invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft\nobject. This vulnerability can lead to privilege escalation.\n\nAnalysis from zdi-disclosures@trendmicro.com:\nWhen initializing act_ct, tcf_ct_init() is called, which internally triggers\ntcf_ct_flow_table_get().\n\nstatic int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)\n\n{\n struct zones_ht_key key = { .net = net, .zone = params-\u003ezone };\n struct tcf_ct_flow_table *ct_ft;\n int err = -ENOMEM;\n\n mutex_lock(\u0026zones_mutex);\n ct_ft = rhashtable_lookup_fast(\u0026zones_ht, \u0026key, zones_params); // [1]\n if (ct_ft \u0026\u0026 refcount_inc_not_zero(\u0026ct_ft-\u003eref)) // [2]\n goto out_unlock;\n ...\n}\n\nstatic __always_inline void *rhashtable_lookup_fast(\n struct rhashtable *ht, const void *key,\n const struct rhashtable_params params)\n{\n void *obj;\n\n rcu_read_lock();\n obj = rhashtable_lookup(ht, key, params);\n rcu_read_unlock();\n\n return obj;\n}\n\nAt [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft\nfrom zones_ht . The lookup is performed within an RCU read critical section\nthrough rcu_read_lock() / rcu_read_unlock(), which prevents the object from\nbeing freed. However, at the point of function return, rcu_read_unlock() has\nalready been called, and there is nothing preventing ct_ft from being freed\nbefore reaching refcount_inc_not_zero(\u0026ct_ft-\u003eref) at [2]. This interval becomes\nthe race window, during which ct_ft can be freed.\n\nFree Process:\n\ntcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu()\ntcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put().\n\nstatic void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft)\n{\n if (refcount_dec_and_test(\u0026ct_ft-\u003eref)) {\n rhashtable_remove_fast(\u0026zones_ht, \u0026ct_ft-\u003enode, zones_params);\n INIT_RCU_WORK(\u0026ct_ft-\u003erwork, tcf_ct_flow_table_cleanup_work); // [3]\n queue_rcu_work(act_ct_wq, \u0026ct_ft-\u003erwork);\n }\n}\n\nAt [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work\n\nstatic void tcf_ct_flow_table_cleanup_work(struct work_struct *work)\n\n{\n struct tcf_ct_flow_table *ct_ft;\n struct flow_block *block;\n\n ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,\n rwork);\n nf_flow_table_free(\u0026ct_ft-\u003enf_ft);\n block = \u0026ct_ft-\u003enf_ft.flow_block;\n down_write(\u0026ct_ft-\u003enf_ft.flow_block_lock);\n WARN_ON(!list_empty(\u0026block-\u003ecb_list));\n up_write(\u0026ct_ft-\u003enf_ft.flow_block_lock);\n kfree(ct_ft); // [4]\n\n module_put(THIS_MODULE);\n}\n\ntcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes\nbetween [1] and [2], UAF occurs.\n\nThis race condition has a very short race window, making it generally\ndifficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was\ninserted after[1]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:57.070Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ece578ca61e572df96cfc80456357ebfae0b4b9e"
},
{
"url": "https://git.kernel.org/stable/c/a2e0c045c87aa252eb61412e67dd91f2c2b19f81"
},
{
"url": "https://git.kernel.org/stable/c/67c9ecc9f2575273ed1323e312881fc98ac83d6d"
},
{
"url": "https://git.kernel.org/stable/c/f23424a0ddadb494d4bd57056a7ca703312d3a7b"
},
{
"url": "https://git.kernel.org/stable/c/17dfb67cb399b660105d9a8c6100851c0d0cdc70"
},
{
"url": "https://git.kernel.org/stable/c/4c727c6967a41b37efe0f26332ca9ec5b74785a3"
},
{
"url": "https://git.kernel.org/stable/c/3e20e1b3058e0b94638e7b931c138e840e266724"
},
{
"url": "https://git.kernel.org/stable/c/f462dca0c8415bf0058d0ffa476354c4476d0f09"
}
],
"title": "net/sched: act_ct: Only release RCU read lock after ct_ft",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46319",
"datePublished": "2026-06-09T12:11:12.128Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-14T18:08:57.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48855 (GCVE-0-2026-48855)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI
EPSS
Title
SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery.
The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /.
The information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.
This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.
This issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48855.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48855 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/8f4224a0d267… | patch |
Impacted products
2 products
Credits
Jonatan Männchen / EEF
Jonatan Männchen / EEF
Michał Wąsowski
Jakub Witczak
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48855",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:22:16.684743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:22:24.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftpd"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:handle_op/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "6.0.1",
"status": "unaffected"
},
{
"at": "5.5.2.1",
"status": "unaffected"
},
{
"at": "5.2.11.8",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftpd"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:handle_op/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.2",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "27.3.4.13",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "8f4224a0d2676b0653d2c71a889a956e8c2c62d6",
"status": "affected",
"version": "08225797f7ef943d0c82a1d9dd6650d94ca2580d",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SFTP subsystem must be enabled on the SSH server and the \u003ctt\u003eroot\u003c/tt\u003e option must be configured in the \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e call. Deployments without the \u003ctt\u003eroot\u003c/tt\u003e option are not affected."
}
],
"value": "The SFTP subsystem must be enabled on the SSH server and the root option must be configured in the ssh_sftpd:subsystem_spec/1 call. Deployments without the root option are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Micha\u0142 W\u0105sowski"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows File Discovery.\u003cp\u003eThe \u003ctt\u003eSSH_FXP_READLINK\u003c/tt\u003e handler in \u003ctt\u003essh_sftpd\u003c/tt\u003e sends the raw result of \u003ctt\u003efile:read_link/2\u003c/tt\u003e to the client without calling \u003ctt\u003echroot_filename/2\u003c/tt\u003e to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to \u003ctt\u003e/\u003c/tt\u003e; \u003ctt\u003essh_sftpd\u003c/tt\u003e resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via \u003ctt\u003eSSH_FXP_READLINK\u003c/tt\u003e returns that absolute path, for example \u003ctt\u003e/data/sftp\u003c/tt\u003e, instead of the chrooted value \u003ctt\u003e/\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery.\n\nThe SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /.\n\nThe information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8."
}
],
"impacts": [
{
"capecId": "CAPEC-116",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-116 Excavation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:29.864Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-pv7g-pjrq-x2fh"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48855.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48855"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/8f4224a0d2676b0653d2c71a889a956e8c2c62d6"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level \u003ctt\u003eroot\u003c/tt\u003e option.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive information (usernames, project names, mount topology) is inferrable from the absolute path of the configured root directory.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Use OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level root option.\n* Ensure that the SFTP server port is not reachable from untrusted machines.\n* Ensure that no sensitive information (usernames, project names, mount topology) is inferrable from the absolute path of the configured root directory."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48855",
"datePublished": "2026-06-10T14:35:49.683Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-11T04:45:29.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48856 (GCVE-0-2026-48856)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:41 – Updated: 2026-06-11 04:45
VLAI
EPSS
Title
httpc leaks Authorization header to cross-origin redirect targets
Summary
Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.
The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.
autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.
An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.
This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.
This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48856.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48856 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/688d748d6f7a… | patch |
Impacted products
2 products
Credits
Jonatan Männchen / EEF
Jonatan Männchen / EEF
Ingela Anderton Andin
Konrad Pietrzak
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:23:52.053802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:24:02.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"httpc_response"
],
"packageName": "inets",
"packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/http_client/httpc_response.erl"
],
"programRoutines": [
{
"name": "httpc_response:redirect/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "9.7.1",
"status": "unaffected"
},
{
"at": "9.6.2.2",
"status": "unaffected"
},
{
"at": "9.3.2.6",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "5.10",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"httpc_response"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/inets/src/http_client/httpc_response.erl"
],
"programRoutines": [
{
"name": "httpc_response:redirect/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.2",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "27.3.4.13",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "688d748d6f7a6a06b13b662a1d3de8af97079612",
"status": "affected",
"version": "84adefa331c4159d432d22840663c38f155cd4c1",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Anderton Andin"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Konrad Pietrzak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sensitive Data Exposure vulnerability in Erlang OTP inets (\u003ctt\u003ehttpc_response\u003c/tt\u003e module) allows Retrieve Embedded Sensitive Data.\u003cp\u003eThe \u003ctt\u003ehttpc\u003c/tt\u003e client forwards the \u003ctt\u003eAuthorization\u003c/tt\u003e and \u003ctt\u003eProxy-Authorization\u003c/tt\u003e request headers to redirect targets without checking whether the redirect crosses an origin boundary. \u003ctt\u003ehttpc_response:redirect/2\u003c/tt\u003e constructs the redirected request by updating only the \u003ctt\u003ehost\u003c/tt\u003e field of the header record; all other fields (including \u003ctt\u003eauthorization\u003c/tt\u003e and \u003ctt\u003eproxy_authorization\u003c/tt\u003e) are copied verbatim. The redirect target host is never compared against the original host.\u003c/p\u003e\u003cp\u003e\u003ctt\u003eautoredirect\u003c/tt\u003e defaults to \u003ctt\u003etrue\u003c/tt\u003e, so this affects all \u003ctt\u003ehttpc\u003c/tt\u003e callers that do not explicitly disable automatic redirects.\u003c/p\u003e\u003cp\u003eAn attacker who controls a server that the victim contacts via \u003ctt\u003ehttpc\u003c/tt\u003e can issue a cross-origin 3xx redirect to a server they also control. The \u003ctt\u003eAuthorization\u003c/tt\u003e header (including Basic credentials derived from URL userinfo via \u003ctt\u003ehttpc_request:handle_user_info/2\u003c/tt\u003e) is forwarded to the redirect target, allowing credential theft. The same applies to the \u003ctt\u003eProxy-Authorization\u003c/tt\u003e header.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_client/httpc_response.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.\u003c/p\u003e"
}
],
"value": "Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.\n\nThe httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.\n\nautoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.\n\nAn attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.\n\nThis vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.\n\nThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:35.836Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48856.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48856"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/688d748d6f7a6a06b13b662a1d3de8af97079612"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "httpc leaks Authorization header to cross-origin redirect targets",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eSet \u003ctt\u003e{autoredirect, false}\u003c/tt\u003e in the \u003ctt\u003ehttpc:request/4\u003c/tt\u003e options and handle redirects manually, stripping the \u003ctt\u003eAuthorization\u003c/tt\u003e header when the redirect crosses an origin boundary.\u003c/li\u003e\u003cli\u003eEnsure that \u003ctt\u003ehttpc\u003c/tt\u003e is only used to contact trusted servers that will not issue cross-origin redirects.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Set {autoredirect, false} in the httpc:request/4 options and handle redirects manually, stripping the Authorization header when the redirect crosses an origin boundary.\n* Ensure that httpc is only used to contact trusted servers that will not issue cross-origin redirects."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48856",
"datePublished": "2026-06-10T14:41:51.616Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-11T04:45:35.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48858 (GCVE-0-2026-48858)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI
EPSS
Title
ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks
Summary
Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.
The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.
The vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.
The ftp application is deprecated and scheduled for removal in OTP-30.
This vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later).
This issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48858.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48858 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/2691a806231f… | patch |
| https://github.com/erlang/otp/commit/521bcfa24407… | patch |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Erlang | OTP |
Affected:
5.10.4 , < 7.0
(otp)
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* |
|
| Erlang | OTP |
Affected:
1.0 , < *
(otp)
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* |
|
| Erlang | OTP |
Affected:
17.4 , < *
(otp)
Affected: be95772ee1fcfe71045ef070130bea7a910b81e3 , < * (git) cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* |
Credits
Jonatan Männchen / EEF
Jonatan Männchen / EEF
Ingela Anderton Andin
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:20:57.662713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:21:08.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ftp_internal"
],
"packageName": "inets",
"packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ftp/ftp_internal.erl"
],
"programRoutines": [
{
"name": "ftp_internal:handle_ctrl_result/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"lessThan": "7.0",
"status": "affected",
"version": "5.10.4",
"versionType": "otp"
}
]
},
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ftp_internal"
],
"packageName": "ftp",
"packageURL": "pkg:otp/ftp?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ftp_internal.erl"
],
"programRoutines": [
{
"name": "ftp_internal:handle_ctrl_result/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "1.2.6",
"status": "unaffected"
},
{
"at": "1.2.4.1",
"status": "unaffected"
},
{
"at": "1.2.3.1",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.0",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ftp_internal"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/inets/src/ftp/ftp_internal.erl",
"lib/ftp/src/ftp_internal.erl"
],
"programRoutines": [
{
"name": "ftp_internal:handle_ctrl_result/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.2",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "27.3.4.13",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.4",
"versionType": "otp"
},
{
"changes": [
{
"at": "2691a806231ffd0490a8a9e20500dec0c7e73727",
"status": "unaffected"
},
{
"at": "521bcfa24407ee8cb5614823cf905c37ea3aa605",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "be95772ee1fcfe71045ef070130bea7a910b81e3",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerable path is active under the default configuration: \u003ctt\u003emode=passive\u003c/tt\u003e, \u003ctt\u003eipfamily=inet\u003c/tt\u003e, and \u003ctt\u003eftp_extension=false\u003c/tt\u003e are all defaults for \u003ctt\u003eftp:open/2\u003c/tt\u003e."
}
],
"value": "The vulnerable path is active under the default configuration: mode=passive, ipfamily=inet, and ftp_extension=false are all defaults for ftp:open/2."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"versionStartIncluding": "17.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Anderton Andin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eServer-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eftp_internal:handle_ctrl_result/2\u003c/tt\u003e PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server\u0027s 227 response and passes it directly to \u003ctt\u003egen_tcp:connect/4\u003c/tt\u003e without validating it against the control connection peer address. The adjacent EPSV handlers correctly call \u003ctt\u003epeername(CSock)\u003c/tt\u003e to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client\u0027s data connection to an arbitrary internal host and port. On read operations (\u003ctt\u003eftp:ls/1,2\u003c/tt\u003e, \u003ctt\u003eftp:nlist/1,2\u003c/tt\u003e, \u003ctt\u003eftp:recv/2,3\u003c/tt\u003e), data from the redirected target is returned to the caller. On write operations (\u003ctt\u003eftp:send/2,3\u003c/tt\u003e, \u003ctt\u003eftp:append/2,3\u003c/tt\u003e), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.\u003c/p\u003e\u003cp\u003eThe vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eftp\u003c/tt\u003e application is deprecated and scheduled for removal in OTP-30.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/ftp/ftp_internal.erl\u003c/tt\u003e (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and \u003ctt\u003elib/ftp/src/ftp_internal.erl\u003c/tt\u003e (ftp 1.0 and later, OTP 21.0 and later).\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.\n\nThe ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server\u0027s 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client\u0027s data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.\n\nThe vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.\n\nThe ftp application is deprecated and scheduled for removal in OTP-30.\n\nThis vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later).\n\nThis issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:36.460Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-24cv-hwgr-37fq"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48858.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48858"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/2691a806231ffd0490a8a9e20500dec0c7e73727"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/521bcfa24407ee8cb5614823cf905c37ea3aa605"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pass \u003ctt\u003e{ftp_extension, true}\u003c/tt\u003e to \u003ctt\u003eftp:open/2\u003c/tt\u003e to use EPSV instead of PASV. Alternatively, pass \u003ctt\u003e{mode, active}\u003c/tt\u003e to use active mode, or pass \u003ctt\u003e{ipfamily, inet6}\u003c/tt\u003e to force IPv6, both of which bypass the vulnerable PASV path."
}
],
"value": "Pass {ftp_extension, true} to ftp:open/2 to use EPSV instead of PASV. Alternatively, pass {mode, active} to use active mode, or pass {ipfamily, inet6} to force IPv6, both of which bypass the vulnerable PASV path."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48858",
"datePublished": "2026-06-10T14:35:45.466Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-11T04:45:36.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48860 (GCVE-0-2026-48860)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI
EPSS
Title
Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist
Summary
Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.
The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3.
This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl.
This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48860.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48860 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/0209a6df65d6… | patch |
Impacted products
2 products
Credits
Lukas Backström
Ingela Anderton Andin
Raimo Niskanen
Jakub Witczak
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:23:08.922807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:23:31.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_tls_dist"
],
"packageName": "ssl",
"packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/inet_tls_dist.erl"
],
"programRoutines": [
{
"name": "inet_tls_dist:check_ip/1"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "11.7.2",
"status": "unaffected"
},
{
"at": "11.6.0.2",
"status": "unaffected"
},
{
"at": "11.2.12.9",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "11.0",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_tls_dist"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssl/src/inet_tls_dist.erl"
],
"programRoutines": [
{
"name": "inet_tls_dist:check_ip/1"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.2",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "27.3.4.13",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "26.0",
"versionType": "otp"
},
{
"lessThan": "0209a6df65d605552b378273027b3968b35f26b4",
"status": "affected",
"version": "7a08c5507862a7011568506d0c17b1fdef30bee4",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Erlang distribution must be configured to use TLS (\u003ctt\u003einet_tls_dist\u003c/tt\u003e) with the \u003ctt\u003echeck_ip\u003c/tt\u003e option enabled. The default Erlang distribution configuration does not use TLS and is not affected."
}
],
"value": "The Erlang distribution must be configured to use TLS (inet_tls_dist) with the check_ip option enabled. The default Erlang distribution configuration does not use TLS and is not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"versionStartIncluding": "26.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lukas Backstr\u00f6m"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ingela Anderton Andin"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Raimo Niskanen"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eReliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003einet_tls_dist:check_ip/1\u003c/tt\u003e function, which enforces a LAN allowlist for Erlang distribution over TLS, calls \u003ctt\u003einet:sockname/1\u003c/tt\u003e instead of \u003ctt\u003einet:peername/1\u003c/tt\u003e to obtain the peer\u0027s IP address. Because \u003ctt\u003einet:sockname/1\u003c/tt\u003e returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including \u003ctt\u003erpc:call/4\u003c/tt\u003e and \u003ctt\u003ecode:load_binary/3\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssl/src/inet_tls_dist.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.\u003c/p\u003e"
}
],
"value": "Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.\n\nThe inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer\u0027s IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3.\n\nThis vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl.\n\nThis issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1025",
"description": "CWE-1025 Comparison Using Wrong Factors",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:42.753Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-gp7x-mfv6-52cv"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48860.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48860"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/0209a6df65d605552b378273027b3968b35f26b4"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Implement a custom \u003ctt\u003everify_fun\u003c/tt\u003e SSL option that correctly checks the peer IP address using \u003ctt\u003einet:peername/1\u003c/tt\u003e on the socket."
}
],
"value": "Implement a custom verify_fun SSL option that correctly checks the peer IP address using inet:peername/1 on the socket."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48860",
"datePublished": "2026-06-10T14:35:49.987Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-11T04:45:42.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48914 (GCVE-0-2026-48914)
Vulnerability from cvelistv5 – Published: 2026-06-12 09:42 – Updated: 2026-06-15 13:00
VLAI
EPSS
Title
Qemu-kvm: heap buffer overflow in virtio-blk scsi request handling
Summary
A flaw was found in QEMU's virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an out-of-bounds write in the host heap memory and a potential denial of service (DoS) for the QEMU process.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-48914 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2488283 | issue-trackingx_refsource_REDHAT |
| https://lore.kernel.org/qemu-devel/20260526154957… |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
|
Affected:
1.1.0 , ≤ 11.0.1
(semver)
|
|||
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat Enterprise Linux for NVIDIA 26 |
cpe:/a:redhat:enterprise_linux_nvidia: |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
Date Public
2026-05-26 00:00
Credits
Red Hat would like to thank Feifan Qian <bea1e@proton.me> for reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48914",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T09:57:24.232821Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T09:57:53.555Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://gitlab.com/qemu-project/qemu",
"defaultStatus": "unaffected",
"packageName": "qemu",
"versions": [
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "qemu-kvm-ma",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux_nvidia:"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux for NVIDIA 26",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Feifan Qian \u003cbea1e@proton.me\u003e for reporting this issue."
}
],
"datePublic": "2026-05-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in QEMU\u0027s virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an out-of-bounds write in the host heap memory and a potential denial of service (DoS) for the QEMU process."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T13:00:33.022Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-48914"
},
{
"name": "RHBZ#2488283",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488283"
},
{
"url": "https://lore.kernel.org/qemu-devel/20260526154957.1741622-1-stefanha@redhat.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T09:09:42.108Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-26T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Qemu-kvm: heap buffer overflow in virtio-blk scsi request handling",
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-122: Heap-based Buffer Overflow"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-48914",
"datePublished": "2026-06-12T09:42:36.313Z",
"dateReserved": "2026-05-26T12:51:11.502Z",
"dateUpdated": "2026-06-15T13:00:33.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49759 (GCVE-0-2026-49759)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-07-01 04:45
VLAI
EPSS
Title
Stack buffer overflow in SCTP error cause parsing in inet_drv allows remote VM crash
Summary
Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk.
The sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service.
A crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited.
This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-49759.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-49759 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/3983d4952843… | patch |
| https://access.redhat.com/security/cve/CVE-2026-49759 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487607 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Erlang | OTP |
Affected:
6.0 , < *
(otp)
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* |
|
| Erlang | OTP |
Affected:
17.0 , < *
(otp)
Affected: 84adefa331c4159d432d22840663c38f155cd4c1 , < 3983d495284331c121f600a80bac9fcf4e16381e (git) cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* |
|
| Red Hat | Red Hat OpenStack Platform 16.2 |
cpe:/a:redhat:openstack:16.2 |
|
| Red Hat | Red Hat OpenStack Platform 17.1 |
cpe:/a:redhat:openstack:17.1 |
|
| Red Hat | Red Hat OpenStack Platform 18.0 |
cpe:/a:redhat:openstack:18.0 |
Credits
Zhang Delong
Raimo Niskanen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:18:27.945916Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:18:43.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-10T14:35:38.838Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Erlang OTP (Open Telecom Platform) erts, specifically within the `inet_drv` component. An unauthenticated remote attacker can exploit a stack-based buffer overflow vulnerability by sending a specially crafted Stream Control Transmission Protocol (SCTP) ERROR chunk. This can lead to a Denial of Service (DoS) by crashing the BEAM virtual machine. Additionally, this flaw may result in limited information disclosure by leaking small portions of Erlang VM memory."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:09:55.439Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-49759"
},
{
"name": "RHBZ#2487607",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487607"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49759.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-10T16:01:51.030Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-10T14:35:38.838Z",
"value": "Made public."
}
],
"title": "erlang: Erlang OTP: Denial of Service via crafted SCTP ERROR chunk",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_drv"
],
"packageName": "erts",
"packageURL": "pkg:otp/erts?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"emulator/drivers/common/inet_drv.c"
],
"programRoutines": [
{
"name": "sctp_parse_error_chunk"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "15.2.7.9",
"status": "unaffected"
},
{
"at": "16.4.0.2",
"status": "unaffected"
},
{
"at": "17.0.2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "6.0",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_drv"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"erts/emulator/drivers/common/inet_drv.c"
],
"programRoutines": [
{
"name": "sctp_parse_error_chunk"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "27.3.4.13",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "29.0.2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "3983d495284331c121f600a80bac9fcf4e16381e",
"status": "affected",
"version": "84adefa331c4159d432d22840663c38f155cd4c1",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SCTP support must be compiled into OTP. A listening SCTP socket must be opened via \u003ctt\u003egen_sctp\u003c/tt\u003e with the default \u003ctt\u003einet\u003c/tt\u003e backend and must be reachable from the attacker\u0027s network. Windows builds are unaffected as SCTP is not supported on Windows."
}
],
"value": "SCTP support must be compiled into OTP. A listening SCTP socket must be opened via gen_sctp with the default inet backend and must be reachable from the attacker\u0027s network. Windows builds are unaffected as SCTP is not supported on Windows."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"versionStartIncluding": "17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zhang Delong"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Raimo Niskanen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stack-based Buffer Overflow vulnerability in Erlang OTP \u003ctt\u003eerts\u003c/tt\u003e (\u003ctt\u003einet_drv\u003c/tt\u003e) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk.\u003cp\u003eThe \u003ctt\u003esctp_parse_error_chunk\u003c/tt\u003e function in \u003ctt\u003eerts/emulator/drivers/common/inet_drv.c\u003c/tt\u003e parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated \u003ctt\u003eErlDrvTermData spec[]\u003c/tt\u003e array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service.\u003c/p\u003e\u003cp\u003eA crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2.\u003c/p\u003e"
}
],
"value": "Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk.\n\nThe sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service.\n\nA crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited.\n\nThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T04:45:31.080Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-6f4f-chj5-5g97"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49759.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49759"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/3983d495284331c121f600a80bac9fcf4e16381e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stack buffer overflow in SCTP error cause parsing in inet_drv allows remote VM crash",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49759",
"datePublished": "2026-06-10T14:35:38.838Z",
"dateReserved": "2026-06-01T13:45:22.449Z",
"dateUpdated": "2026-07-01T04:45:31.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49760 (GCVE-0-2026-49760)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI
EPSS
Title
Stack Buffer Overflow in ei_s_print_term at Very Large Integer
Summary
Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.
This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term.
The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service.
The companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug.
This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-49760.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-49760 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/0bef277b2d39… | patch |
Impacted products
2 products
Credits
Jonatan Männchen / EEF
Sverker Eriksson
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:16:14.697009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:16:28.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"erl_interface"
],
"packageName": "erl_interface",
"packageURL": "pkg:otp/erl_interface?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/misc/ei_printterm.c"
],
"programRoutines": [
{
"name": "ei_s_print_term"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.5.2.1",
"status": "unaffected"
},
{
"at": "5.7.0.1",
"status": "unaffected"
},
{
"at": "5.8.1",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.7.16",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"erl_interface"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/erl_interface/src/misc/ei_printterm.c"
],
"programRoutines": [
{
"name": "ei_s_print_term"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "27.3.4.13",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "29.0.2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
"status": "affected",
"version": "84adefa331c4159d432d22840663c38f155cd4c1",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sverker Eriksson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eStack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/erl_interface/src/misc/ei_printterm.c\u003c/tt\u003e and program routine \u003ctt\u003eei_s_print_term\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe C function \u003ctt\u003eei_s_print_term\u003c/tt\u003e uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of \u003ctt\u003e0\u003c/tt\u003e-\u003ctt\u003e9\u003c/tt\u003e and \u003ctt\u003eA\u003c/tt\u003e-\u003ctt\u003eF\u003c/tt\u003e, which limits exploitation to Denial of Service.\u003c/p\u003e\u003cp\u003eThe companion function \u003ctt\u003eei_print_term\u003c/tt\u003e, which prints directly to a \u003ctt\u003eFILE\u003c/tt\u003e instead of a memory buffer, does not contain this bug.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.\u003c/p\u003e"
}
],
"value": "Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.\n\nThis vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term.\n\nThe C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service.\n\nThe companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug.\n\nThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1."
}
],
"impacts": [
{
"capecId": "CAPEC-8",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-8 Buffer Overflow in an API Call"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:57.427Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-xcxj-5pg2-v72j"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49760.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49760"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Stack Buffer Overflow in ei_s_print_term at Very Large Integer",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Avoid calling \u003ctt\u003eei_s_print_term\u003c/tt\u003e with untrusted data whose encoded integer representation could exceed 2000 characters."
}
],
"value": "Avoid calling ei_s_print_term with untrusted data whose encoded integer representation could exceed 2000 characters."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49760",
"datePublished": "2026-06-10T14:35:36.804Z",
"dateReserved": "2026-06-01T13:45:22.449Z",
"dateUpdated": "2026-06-11T04:45:57.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…