Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2026-49759

Severity CVSS v4.0:
HIGH
Type:
CWE-121 Stack-based Buffer Overflow
Publication date:
10/06/2026
Last modified:
15/06/2026

Description

Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk.<br /> <br /> The sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service.<br /> <br /> A crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited.<br /> <br /> This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2.

Impact

Vector 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N CVSS v4.0 Severity and Metrics:

Base Score: 8.80 HIGH
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality (VC): Low
Integrity (VI): None
Availability (VA): High
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): None

Base Score 4.0
8.80
Severity 4.0
HIGH
Vector 3.x
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 8.20 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): None
Availability (A): High

Base Score 3.x
8.20
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* 17.0 (including) 27.3.4.13 (excluding)
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* 28.0 (including) 28.5.0.2 (excluding)
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* 29.0 (including) 29.0.2 (excluding)
cpe:2.3:a:erlang:erts:*:*:*:*:*:*:*:* 6.0 (including) 15.2.7.9 (excluding)
cpe:2.3:a:erlang:erts:*:*:*:*:*:*:*:* 16.0 (including) 16.4.0.2 (excluding)
cpe:2.3:a:erlang:erts:*:*:*:*:*:*:*:* 17.0 (including) 17.0.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools