CVE-2026-49760
Received Received - Intake
Stack-based Buffer Overflow in Erlang OTP erl_interface

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: EEF

Description
Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow. This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term. The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service. The companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug. This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-49760
EUVD
EUVD-2026-36052
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
erlang otp to 27.3.4.13 (exc)
erlang otp 27.3.4.13
erlang otp 28.5.0.2
erlang otp 29.0.2
erlang erl_interface to 5.5.2.1 (exc)
erlang erl_interface 5.5.2.1
erlang erl_interface 5.7.0.1
erlang erl_interface 5.8.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stack-based buffer overflow in the Erlang OTP's erl_interface library, specifically in the function ei_s_print_term. The function uses a fixed 2000-character stack buffer to format terms. When it processes an encoded Erlang term containing a very large integer whose encoded representation exceeds 2000 characters, the buffer overflows.

The overflow bytes are limited to ASCII characters 0-9 and A-F, which restricts the exploitation to causing a denial of service rather than arbitrary code execution. The related function ei_print_term, which prints directly to a file, is not affected by this issue.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS). Because the buffer overflow is limited to certain ASCII characters, it does not allow for arbitrary code execution or privilege escalation.

If an attacker can supply or manipulate data containing very large integers (encoded as more than 2000 characters), they can trigger the overflow in ei_s_print_term, potentially causing the application or system using Erlang OTP to crash or become unstable.

Detection Guidance

This vulnerability occurs when the function ei_s_print_term processes an encoded Erlang term containing a very large integer (at least 1000 bytes long or 2000 hexadecimal digits), causing a stack buffer overflow. Detection involves identifying usage of the vulnerable ei_s_print_term function with such large encoded integers.

Since the vulnerability is triggered by processing very large integers in encoded Erlang terms, detection can focus on monitoring or logging calls to ei_s_print_term or related erl_interface usage that handle large integer terms.

No specific detection commands are provided in the available resources. However, you can check the version of Erlang OTP and erl_interface libraries installed on your system to determine if they fall within the vulnerable versions (OTP 17.0 before 27.3.4.13, 28.5.0.2, and 29.0.2; erl_interface 3.7.16 before 5.5.2.1, 5.7.0.1, and 5.8.1).

For example, to check the Erlang/OTP version, you can run the command: erl -eval 'erlang:system_info(otp_release).' -s init stop -noshell

To detect potential exploitation attempts, monitoring logs or network traffic for unusually large encoded Erlang terms or malformed data sent to erl_interface components might help, but no explicit commands or signatures are provided.

Mitigation Strategies

Immediate mitigation involves avoiding calls to the vulnerable ei_s_print_term function with untrusted or manipulated data containing encoded integers exceeding 2000 characters.

Upgrading Erlang OTP and erl_interface libraries to patched versions is the recommended fix. The patched versions are OTP 27.3.4.13, 28.5.0.2, and 29.0.2, and erl_interface versions 5.5.2.1, 5.7.0.1, and 5.8.1 or later.

If upgrading immediately is not possible, ensure that input data to ei_s_print_term is validated or sanitized to prevent processing of very large integers that could trigger the overflow.

Since the vulnerability is limited to denial of service, restricting access to components that invoke ei_s_print_term from untrusted sources can reduce risk.

Compliance Impact

The vulnerability is a stack-based buffer overflow in the Erlang OTP erl_interface library that can lead to denial of service but does not allow arbitrary code execution or data leakage.

Since the impact is limited to availability (denial of service) and does not involve unauthorized access, data breach, or data integrity compromise, the direct effect on compliance with data protection regulations such as GDPR or HIPAA is minimal or indirect.

However, denial of service incidents can affect system availability, which is a component of some compliance frameworks, so organizations relying on Erlang OTP in critical systems should address this vulnerability to maintain operational continuity and compliance with availability requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart