PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49759 Erlang CVE debrief

CVE-2026-49759 is a Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv). An unauthenticated remote attacker can crash the BEAM VM by sending a crafted SCTP ERROR chunk. The vulnerability exists in the sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c, which parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds.

Vendor
Erlang
Product
OTP
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-10
Advisory published
2026-06-10
Advisory updated
2026-06-10

Who should care

Users of Erlang OTP, particularly those with exposed SCTP associations, should be aware of this vulnerability.

Technical summary

The sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c does not check bounds when writing cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM.

Defensive priority

High

Recommended defensive actions

  • Update to a patched version of Erlang OTP: 27.3.4.13, 28.5.0.2, or 29.0.2.
  • Restrict access to SCTP associations.
  • Monitor for suspicious SCTP ERROR chunks.

Evidence notes

The CVE-2026-49759 vulnerability affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2, and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2, and 17.0.2.

Official resources

CVE-2026-49759 was published on 2026-06-10T16:17:12.797Z and modified on 2026-06-10T20:19:35.917Z.