PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49760 Erlang CVE debrief

A Stack-based Buffer Overflow vulnerability was discovered in Erlang OTP (erl_interface), specifically in the program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term. The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service. This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.

Vendor
Erlang
Product
OTP
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-10
Advisory published
2026-06-10
Advisory updated
2026-06-10

Who should care

Users of Erlang OTP (erl_interface) versions from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1 should be aware of this vulnerability.

Technical summary

The vulnerability is caused by the C function ei_s_print_term, which uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update to OTP version 27.3.4.13, 28.5.0.2 or 29.0.2, or erl_interface version 5.5.2.1, 5.7.0.1 or 5.8.1.

Evidence notes

The CVE-2026-49760 vulnerability was published on [cve-org](resourceLinkAnnotations.cve-org).

Official resources

CVE-2026-49760 was published on 2026-06-10T16:17:12.947Z and modified on 2026-06-10T20:19:35.917Z.