PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32144 Erlang CVE debrief

CVE-2026-32144 is an Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module). This vulnerability allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context.

Vendor
Erlang
Product
OTP
CVSS
HIGH 7.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-07
Original CVE updated
2026-06-30
Advisory published
2026-04-07
Advisory updated
2026-06-30

Who should care

Organizations using Erlang OTP for SSL/TLS clients with OCSP stapling should prioritize patching. This includes any entity relying on Erlang for secure communication, especially those handling sensitive data. The vulnerability's impact on applications using the public_key:pkix_ocsp_validate/5 API directly depends on their specific usage context.

Technical summary

The vulnerability is in the public_key:pkix_ocsp_validate/5 function, which fails to verify the cryptographic signature of a CA-designated responder certificate. It only checks the issuer name and the OCSPSigning extended key usage. This oversight allows an attacker to forge OCSP responses, potentially leading to the acceptance of revoked certificates by SSL/TLS clients using OCSP stapling. The affected components include lib/public_key/src/pubkey_ocsp.erl and the pubkey_ocsp:is_authorized_responder/3 routine. This issue affects OTP versions from 27.0 until 28.4.2 and 27.3.4.10, corresponding to public_key versions from 1.16 until 1.20.3 and 1.17.1.2, and ssl versions from 11.2 until 11.5.4 and 11.2.12.7.

Defensive priority

High priority should be given to patching Erlang OTP versions affected by CVE-2026-32144. Organizations should update to OTP 28.4.2 or 27.3.4.10, and ensure public_key is updated to 1.20.3 or 1.17.1.2, and ssl to 11.5.4 or 11.2.12.7. Immediate action is necessary due to the high severity of the vulnerability.

Recommended defensive actions

  • Update Erlang OTP to version 28.4.2 or later for new deployments.
  • For existing deployments, update to OTP 27.3.4.10 or later if on version 27.
  • Ensure public_key is updated to version 1.20.3 or later.
  • Ensure ssl is updated to version 11.5.4 or later.
  • Review and update applications using the public_key:pkix_ocsp_validate/5 API directly.
  • Implement additional monitoring for potential OCSP response forgery attempts.
  • Consider disabling OCSP stapling if patching is not immediately feasible.

Evidence notes

The CVE-2026-32144 vulnerability details were obtained from the NVD and CVE.org. The vulnerability affects multiple versions of Erlang OTP, specifically in the public_key and ssl components. The CVSS score is 7.6, indicating high severity. The vulnerability allows for OCSP designated-responder authorization bypass, potentially leading to sensitive data exposure.

Official resources

This article is AI-assisted and based on the supplied source corpus.