PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48860 Erlang CVE debrief

CVE-2026-48860 is a HIGH severity vulnerability in OTP's ssl (inet_tls_dist module). An unauthenticated attacker can bypass the distribution-over-TLS LAN allowlist due to the inet_tls_dist:check_ip/1 function incorrectly using inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. This causes the subnet mask comparison to always succeed, allowing any holder of a CA-signed TLS certificate to gain full Erlang distribution access to the node. Affected versions include OTP 26.0 before 29.0.2, 28.5.0.2, and 27.3.4.13, corresponding to ssl versions 11.0 before 11.7.2, 11.6.0.2, and 11.2.12.9.

Vendor
Erlang
Product
OTP
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-10
Advisory published
2026-06-10
Advisory updated
2026-06-10

Who should care

Users of OTP versions 26.0 before 29.0.2, 28.5.0.2, and 27.3.4.13, and ssl versions 11.0 before 11.7.2, 11.6.0.2, and 11.2.12.9 should apply patches to prevent exploitation.

Technical summary

The inet_tls_dist:check_ip/1 function in OTP's ssl (inet_tls_dist module) incorrectly uses inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. This causes the subnet mask comparison to always succeed, allowing an unauthenticated attacker to bypass the distribution-over-TLS LAN allowlist.

Defensive priority

HIGH

Recommended defensive actions

  • Apply patches for OTP versions 29.0.2, 28.5.0.2, and 27.3.4.13, and ssl versions 11.7.2, 11.6.0.2, and 11.2.12.9.
  • Restrict Erlang distribution access to trusted nodes only.
  • Monitor for suspicious activity on Erlang distribution ports.

Evidence notes

CVE-2026-48860 has a CVSS score of 7.5 and is classified as HIGH severity. The vulnerability is associated with CWE-863 and CWE-1025.

Official resources

CVE-2026-48860 was published on 2026-06-10T16:17:12.503Z and modified on 2026-06-10T20:19:35.917Z.