Stack-based Buffer Overflow in Erlang OTP erts

Executive Summary

CVE-2026-49759 is a stack-based buffer overflow vulnerability in the Erlang OTP runtime system's inet_drv component, specifically in the SCTP error cause parsing function called sctp_parse_error_chunk.

This vulnerability allows an unauthenticated remote attacker to crash the BEAM virtual machine by sending a specially crafted SCTP ERROR chunk to a listening SCTP port. The function writes cause codes into a fixed-size stack-allocated array without proper bounds checking, which leads to a buffer overflow when too many cause codes are provided.

While the overflow does not allow for controlled manipulation of the return address, limiting exploitation to denial of service, it may also leak small fragments of Erlang VM memory into the error packet, though this data is already accessible to the user running the VM.

Useful 0 Not Useful 0

Impact Analysis

The primary impact of this vulnerability is denial of service by crashing the BEAM virtual machine process, resulting in loss of availability of the Erlang runtime.

An attacker can cause this crash remotely without authentication by sending a crafted SCTP ERROR chunk to a listening SCTP socket.

There is a limited risk of information disclosure due to small memory fragments leaking into error packets, but this data is already accessible to the user running the VM, so confidentiality impact is minimal.

Exploitation does not allow remote code execution under normal protected builds, as the attacker can only write limited 16-bit values interleaved with fixed tags, and stack protections prevent controlled exploitation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying if your Erlang OTP system has SCTP support enabled and is listening on an SCTP socket. Since the vulnerability is triggered by sending a crafted SCTP ERROR chunk to a listening SCTP port, detection involves checking for open SCTP ports and monitoring for unusual SCTP ERROR chunks.

You can use network scanning tools to detect open SCTP ports on your system. For example, using the command:

• sudo nmap -sY -p <port> <target-ip>

This command scans for SCTP ports (-sY) on the specified port and target IP. Replace <port> with the port number your Erlang application might be listening on, and <target-ip> with your system's IP address.

Additionally, monitoring Erlang VM logs for crashes or unusual SCTP ERROR chunk activity can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the official patch that adds proper bounds checking in the sctp_parse_error_chunk function to prevent buffer overflows.

If patching is not immediately possible, you should disable SCTP support or ensure that no SCTP listening sockets are open and reachable from untrusted networks, as exploitation requires an SCTP association to a listening port.

Using Erlang OTP versions 27.3.4.13, 28.5.0.2, or 29.0.2 or later, which include the fix, is recommended.

Since Windows builds are not affected due to lack of SCTP support, running Erlang on Windows can be considered a temporary mitigation if applicable.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability primarily results in denial of service by crashing the Erlang BEAM virtual machine through a stack-based buffer overflow. It allows limited memory disclosure of VM contents, but only data already accessible to the user running the VM. There is minimal risk to confidentiality or integrity.

Because the impact is mainly availability loss and limited memory disclosure of non-sensitive data, the vulnerability does not directly imply a breach of data protection regulations such as GDPR or HIPAA. However, any denial of service affecting system availability could indirectly impact compliance if critical services are disrupted.

No explicit information is provided about compliance impact in the available resources.

Useful 0 Not Useful 0