PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32147 Erlang CVE debrief

CVE-2026-32147 is an authenticated SFTP path handling flaw in Erlang OTP's ssh_sftpd module. According to the supplied advisory data, the daemon can retain the raw user-supplied path in file handles rather than the chroot-resolved path, so a later SSH_FXP_FSETSTAT operation may apply attribute changes to the real filesystem path outside the intended root directory boundary. The issue is limited to file attribute modification, but if sshd runs as root it can still have serious operational impact.

Vendor
Erlang
Product
OTP
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-21
Original CVE updated
2026-05-21
Advisory published
2026-04-21
Advisory updated
2026-05-21

Who should care

Administrators and operators running Erlang OTP SSH/SFTP services with the root option enabled, especially deployments where the SSH daemon runs with elevated privileges. Systems that expose SFTP to authenticated users and rely on chroot-style boundaries for isolation should treat this as relevant even if file contents are not directly exposed.

Technical summary

The corpus describes a path traversal / restricted-directory bypass in lib/ssh/src/ssh_sftpd.erl, specifically in ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4. The flaw occurs when ssh_sftpd stores the original, user-provided pathname instead of the chroot-resolved path in a handle. If SSH_FXP_FSETSTAT is then issued on that handle, the daemon may modify attributes on the underlying real path outside the configured root directory, provided a target file exists at the same relative path on the host filesystem. The supplied data identifies CWE-22 and CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N.

Defensive priority

High for exposed SFTP services that use chroot/root confinement and run with privileged daemons; medium otherwise. The practical risk is narrower than content disclosure or arbitrary file write, but attribute changes such as ownership, permissions, or setuid bits can still create a privilege-escalation path on root-run systems.

Recommended defensive actions

  • Upgrade to a fixed Erlang OTP release that excludes the vulnerable ranges listed in the advisory data: OTP 28.4.3 or later, 27.3.4.11 or later, or 26.2.5.20 or later, as applicable to your branch.
  • Review any SFTP deployments that use the root option and confirm whether the ssh daemon runs as root; reduce privilege where possible.
  • Restrict SFTP access to trusted authenticated users until patched, especially on systems where matching host filesystem paths may exist outside the chroot.
  • Audit file ownership, mode, and timestamp changes on hosts that expose SFTP, with emphasis on sensitive binaries and configuration files.
  • Use the vendor advisory and associated patch commit to validate whether your packaged Erlang/OTP build includes the fix before declaring systems remediated.

Evidence notes

All claims here are derived from the supplied CVE record, NVD metadata, and linked vendor references listed in the corpus. The record states the affected component is Erlang OTP ssh/ssh_sftpd, the weakness is CWE-22, and the issue permits file-attribute modification outside the configured chroot boundary for authenticated SFTP users. Published time used for context: 2026-04-21T12:15:58.800Z; modified time: 2026-05-21T15:22:33.030Z.

Official resources

CVE published 2026-04-21T12:15:58.800Z and last modified 2026-05-21T15:22:33.030Z. The corpus does not indicate KEV listing or ransomware association.