PatchSiren cyber security CVE debrief
CVE-2026-32144 Erlang CVE debrief
CVE-2026-32144 is an Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module). This vulnerability allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context.
- Vendor
- Erlang
- Product
- OTP
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-07
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-07
- Advisory updated
- 2026-06-30
Who should care
Organizations using Erlang OTP for SSL/TLS clients with OCSP stapling should prioritize patching. This includes any entity relying on Erlang for secure communication, especially those handling sensitive data. The vulnerability's impact on applications using the public_key:pkix_ocsp_validate/5 API directly depends on their specific usage context.
Technical summary
The vulnerability is in the public_key:pkix_ocsp_validate/5 function, which fails to verify the cryptographic signature of a CA-designated responder certificate. It only checks the issuer name and the OCSPSigning extended key usage. This oversight allows an attacker to forge OCSP responses, potentially leading to the acceptance of revoked certificates by SSL/TLS clients using OCSP stapling. The affected components include lib/public_key/src/pubkey_ocsp.erl and the pubkey_ocsp:is_authorized_responder/3 routine. This issue affects OTP versions from 27.0 until 28.4.2 and 27.3.4.10, corresponding to public_key versions from 1.16 until 1.20.3 and 1.17.1.2, and ssl versions from 11.2 until 11.5.4 and 11.2.12.7.
Defensive priority
High priority should be given to patching Erlang OTP versions affected by CVE-2026-32144. Organizations should update to OTP 28.4.2 or 27.3.4.10, and ensure public_key is updated to 1.20.3 or 1.17.1.2, and ssl to 11.5.4 or 11.2.12.7. Immediate action is necessary due to the high severity of the vulnerability.
Recommended defensive actions
- Update Erlang OTP to version 28.4.2 or later for new deployments.
- For existing deployments, update to OTP 27.3.4.10 or later if on version 27.
- Ensure public_key is updated to version 1.20.3 or later.
- Ensure ssl is updated to version 11.5.4 or later.
- Review and update applications using the public_key:pkix_ocsp_validate/5 API directly.
- Implement additional monitoring for potential OCSP response forgery attempts.
- Consider disabling OCSP stapling if patching is not immediately feasible.
Evidence notes
The CVE-2026-32144 vulnerability details were obtained from the NVD and CVE.org. The vulnerability affects multiple versions of Erlang OTP, specifically in the public_key and ssl components. The CVSS score is 7.6, indicating high severity. The vulnerability allows for OCSP designated-responder authorization bypass, potentially leading to sensitive data exposure.
Official resources
-
CVE-2026-32144 CVE record
CVE.org
-
CVE-2026-32144 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Mitigation, Vendor Advisory
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Patch
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Patch
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Mitigation, Third Party Advisory
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Third Party Advisory
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.