Description
Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.

This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term.

The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service.

The companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug.

This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.
Published: 2026-06-10
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stack‑based buffer overflow in the ei_s_print_term routine of the Erlang OTP erl_interface module. When an encoded Erlang term containing a very large integer—whose encoded representation exceeds 2000 characters—is processed, an internal 2000‑character stack buffer is overrun. The overflowing bytes are restricted to the ASCII characters 0–9 and A–F, which limits the flaw to a denial‑of‑service scenario rather than arbitrary code execution.

Affected Systems

The issue occurs in Erlang OTP releases prior to OTP 27.3.4.13, 28.5.0.2, and 29.0.2, which correspond to erl_interface versions before 5.5.2.1, 5.7.0.1, and 5.8.1 respectively. Any installation of OTP 17.0 through 27.3.4.12, 28.5.0.1, or 29.0.1 that still uses those erl_interface releases is affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the problem does not appear in the KEV catalog, with the EPSS score listed as not available. Because the overflowing buffer can be reached only when an attacker controls the encoded integer representation, the likely attack vector is local or within a trusted network context. The limited payload space and the resulting denial‑of‑service impact constrain the exploit to crashing the node or process that invoked ei_s_print_term, rather than granting remote code execution.

Generated by OpenCVE AI on June 10, 2026 at 17:25 UTC.

Remediation

Vendor Workaround

Avoid calling ei_s_print_term with untrusted data whose encoded integer representation could exceed 2000 characters.

OpenCVE Recommended Actions

  • Upgrade Erlang OTP to the latest release that includes the patch (OTP 27.3.4.13 or later, or OTP 28.5.0.2 or OTP 29.0.2).
  • Avoid calling ei_s_print_term with untrusted data that could contain integers whose encoded representation exceeds 2000 characters, as recommended by the vendor.
  • Monitor system logs and performance to detect unexpected crashes or high CPU usage that could indicate an attempted exploitation and consider isolating vulnerable nodes if upgrading immediately is not feasible.

Generated by OpenCVE AI on June 10, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow. This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term. The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service. The companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug. This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.
Title Stack Buffer Overflow in ei_s_print_term at Very Large Integer
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-121
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Erlang Erlang\/otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-10T16:16:28.366Z

Reserved: 2026-06-01T13:45:22.449Z

Link: CVE-2026-49760

cve-icon Vulnrichment

Updated: 2026-06-10T16:16:22.977Z

cve-icon NVD

Status : Received

Published: 2026-06-10T16:17:12.947

Modified: 2026-06-10T16:17:12.947

Link: CVE-2026-49760

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T17:30:36Z

Weaknesses