CVE-2026-49759

Name of the Vulnerable Software and Affected Versions Erlang OTP versions 17.0 through 27.3.4.12 Erlang OTP version 28.5.0.1 Erlang OTP version 29.0.1 erts versions 6.0 through 15.2.7.8 erts version 16.4.0.1 erts version 17.0.1

Description A stack-based buffer overflow exists in the sctp parse error chunk() function within erts/emulator/drivers/common/inet drv.c. The function parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated spec[] array without performing bounds checking. An unauthenticated remote attacker with an established SCTP association to a listening port can send a crafted SCTP ERROR chunk containing excessive cause codes to overflow the stack buffer, resulting in a crash of the BEAM VM (Denial of Service). Because the attacker can only write 16-bit values interleaved with a fixed tag, a controlled return address cannot be achieved. Additionally, a crafted SCTP ERROR chunk may leak fragments of Erlang VM memory into the received error packet, though the disclosure scope is limited as the data is already readable by the user running the VM. This issue requires SCTP support to be compiled into OTP and a listening SCTP socket to be opened via gen sctp with the default inet backend.

Recommendations Update Erlang OTP to version 27.3.4.13, 28.5.0.2, or 29.0.2. Update erts to version 15.2.7.9, 16.4.0.2, or 17.0.2.