CVE-2026-28810 - Vulnerability Details

- Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver

Description

Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning.

The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers.

inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible.

This vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl.

This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11.

Published: 2026-04-07

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Erlang/OTP kernel’s built‑in resolver, inet_res, generates a sequential 16‑bit transaction ID for UDP DNS queries and does not randomize the source port. Because response validation relies almost entirely on this predictable ID, an attacker who can observe a single query or predict the next value can forge a DNS reply and poison the resolver’s cache, potentially redirecting traffic to malicious hosts.

Affected Systems

Vendors and products affected are Erlang and Erlang:OTP. The flaw exists in OTP releases from 17.0 through 28.4.2 as well as 27.3.4.10 and 26.2.5.19, corresponding to kernel versions 3.0 through 10.6.2, 10.2.7.4, and 9.2.4.11. The resolver is intended for use in trusted network environments and with trusted recursive resolvers, but earlier documentation did not clearly state this assumption.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would need network access from which they can observe or predict the sequential query ID; no prerequisite authentication is required. Due to the sequential nature of the ID and lack of source port randomization, deliberate cache poisoning remains technically feasible in unshielded environments, but the risk is mitigated by network isolation and proper configuration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Erlang

OTP

unknown

Version	Status	Constraints
`3.0`	affected	< *

Erlang

OTP

unknown

Version	Status	Constraints
`17.0`	affected	< *
`07b8f441ca711f9812fad9e9115bab3c3aa92f79`	affected	< *

Configuration 1 [-]

OR	cpe:2.3:a:erlang:erlang\/otp::::::::
	cpe:2.3:a:erlang:erlang\/otp::::::::
	cpe:2.3:a:erlang:erlang\/otp::::::::

No data.

Vendor Product Confidence Versions

Erlang

Erlang/otp

100%

Version	Status	Scheme	Platform
`[3.0,*]`	affected	generic	—
`[17.0,*]`	affected	generic	—
`07b8f441ca711f9812fad9e9115bab3c3aa92f79`	affected	code_commit	—

Erlang

Otp

100%

Version	Status	Scheme	Platform
`[3.0,*]`	affected	generic	—

Erlang

Otp

100%

Version	Status	Scheme	Platform
`[17.0,*]`	affected	generic	—
`07b8f441ca711f9812fad9e9115bab3c3aa92f79`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

Install the Erlang nodes in a trusted network shielded from DNS reply spoofing by firewalls, and configure the inet_res resolver to only talk to trusted recursive name servers within that network.

OpenCVE Recommended Actions

Apply the provided workaround by restricting DNS traffic to trusted recursive name servers within a shielded network
Configure firewall rules to block unsolicited DNS responses to the Erlang nodes
Update to a newer Erlang/OTP release that addresses this issue if available
Monitor DNS query patterns for signs of cache poisoning attempts

Generated by OpenCVE AI on April 8, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://cna.erlef.org/cves/CVE-2026-28810.html
https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839a5
https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8
https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad9fd
https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8
https://nvd.nist.gov/vuln/detail/CVE-2026-28810
https://osv.dev/vulnerability/EEF-CVE-2026-28810
https://www.cve.org/CVERecord?id=CVE-2026-28810
https://www.erlang.org/doc/system/versions.html#order-of-versions

History

Thu, 23 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`	cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Erlang erlang/otp Erlang otp
Vendors & Products		Erlang erlang/otp Erlang otp

Wed, 08 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-331
References		https://nvd.nist.gov/vuln/detail/CVE-2026-28810 https://www.cve.org/CVERecord?id=CVE-2026-28810
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}` threat_severity `Moderate`

Tue, 07 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 08:15:00 +0000

Type	Values Removed	Values Added
Description		Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning. The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers. inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible. This vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11.
Title		Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver
First Time appeared		Erlang Erlang erlang\/otp
Weaknesses		CWE-340
CPEs		cpe:2.3:a:erlang:erlang\/otp::::::::
Vendors & Products		Erlang Erlang erlang\/otp
References		https://cna.erlef.org/cves/CVE-2026-28810.html https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839a5 https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8 https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad9fd https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8 https://osv.dev/vulnerability/EEF-CVE-2026-28810 https://www.erlang.org/doc/system/versions.html#order-of-versions
Metrics		cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Erlang Erlang/otp Erlang\/otp Otp

MITRE

Status: PUBLISHED

Assigner: EEF

Published: 2026-04-07T07:50:11.072Z

Updated: 2026-04-08T04:08:49.797Z

Reserved: 2026-03-03T14:40:00.590Z

Link: CVE-2026-28810

Vulnrichment

Updated: 2026-04-07T16:27:57.226Z

NVD

Status : Analyzed

Published: 2026-04-07T09:16:20.473

Modified: 2026-04-23T15:18:31.997

Link: CVE-2026-28810

Redhat

Severity : Moderate

Publid Date: 2026-04-07T07:50:11Z

Links: CVE-2026-28810 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-08T19:49:55Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object