DEBIAN-CVE-2026-48860

Source
https://security-tracker.debian.org/tracker/CVE-2026-48860
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48860.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-48860
Upstream
  • CVE-2026-48860
Published
2026-06-10T16:17:12.503Z
Modified
2026-06-18T06:00:14.186527840Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inettlsdist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist. The inettlsdist:checkip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:loadbinary/3. This vulnerability is associated with program file lib/ssl/src/inettlsdist.erl. This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.

References

Affected packages

Debian:11 / erlang

Package

Name
erlang
Purl
pkg:deb/debian/erlang?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:23.*
1:23.2.6+dfsg-1
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u2
1:23.2.6+dfsg-1+deb11u3
1:23.2.6+dfsg-1+deb11u4
1:24.*
1:24.0~rc1+dfsg-1
1:24.0~rc2+dfsg-1
1:24.0~rc3+dfsg-1
1:24.0.2+dfsg-1
1:24.0.3+dfsg-1
1:24.0.4+dfsg-1
1:24.0.5+dfsg-1
1:24.0.5+dfsg-2
1:24.0.6+dfsg-1
1:24.0.6+dfsg-2
1:24.1+dfsg-1
1:24.1.1+dfsg-1
1:24.1.4+dfsg-1
1:24.1.5+dfsg-1
1:24.1.7+dfsg-1
1:24.2+dfsg-1
1:24.2.1+dfsg-1
1:24.2.2+dfsg-1
1:24.3+dfsg-1
1:24.3.1+dfsg-1
1:24.3.2+dfsg-1
1:24.3.3+dfsg-1
1:24.3.4+dfsg-1
1:24.3.4.1+dfsg-1
1:24.3.4.5+dfsg-1
1:25.*
1:25.0~rc1+dfsg-1
1:25.0~rc2+dfsg-1
1:25.0~rc3+dfsg-1
1:25.0+dfsg-1
1:25.0.2+dfsg-1
1:25.0.3+dfsg-1
1:25.0.4+dfsg-1
1:25.1.1+dfsg-1
1:25.1.2+dfsg-1
1:25.2+dfsg-1
1:25.2.1+dfsg-1
1:25.2.1+dfsg-2
1:25.2.2+dfsg-1
1:25.2.3+dfsg-1
1:25.3.2.8+dfsg-1
1:25.3.2.10+dfsg-1
1:25.3.2.10+dfsg-2
1:25.3.2.11+dfsg-1
1:25.3.2.12+dfsg-1
1:25.3.2.12+dfsg-2
1:25.3.2.12+dfsg-3
1:26.*
1:26.0~rc2+dfsg-1
1:26.0~rc3+dfsg-1
1:26.0+dfsg-1
1:26.0.1+dfsg-1
1:26.0.2+dfsg-1
1:26.1.2+dfsg-1
1:26.2.1+dfsg-1
1:26.2.4+dfsg-1
1:27.*
1:27.0~rc3+dfsg-1
1:27.0~rc3+dfsg-2
1:27.0~rc3+dfsg-3
1:27.0~rc3+dfsg-4
1:27.0+dfsg-1
1:27.0.1+dfsg-1
1:27.0.1+dfsg-2
1:27.0.1+dfsg-3
1:27.1.2+dfsg-1
1:27.2+dfsg-1
1:27.2+dfsg-2
1:27.2+dfsg-3~exp1
1:27.2.1+dfsg-1
1:27.2.1+dfsg-2
1:27.2.2+dfsg-1
1:27.2.3+dfsg-1
1:27.2.4+dfsg-1
1:27.3+dfsg-1
1:27.3.1+dfsg-1
1:27.3.2+dfsg-1
1:27.3.3+dfsg-1
1:27.3.4+dfsg-1
1:27.3.4.1+dfsg-1
1:27.3.4.3+dfsg-1
1:27.3.4.4+dfsg-1
1:27.3.4.6+dfsg-1
1:27.3.4.8+dfsg-1
1:27.3.4.9+dfsg-1
1:27.3.4.10+dfsg-1
1:27.3.4.11+dfsg-1
1:27.3.4.11+dfsg-2
1:27.3.4.11+dfsg-3
1:27.3.4.11+dfsg-4
1:27.3.4.11+dfsg-5
1:27.3.4.11+dfsg-6
1:27.3.4.11+dfsg-7
1:27.3.4.12+dfsg-1
1:28.*
1:28.0+dfsg-1
1:28.0.1+dfsg-1
1:28.0.2+dfsg-1
1:28.0.4+dfsg-1
1:28.1.1+dfsg-1
1:28.2+dfsg-1
1:28.3+dfsg-1
1:28.3.1+dfsg-1
1:29.*
1:29.0~rc1+dfsg-1
1:29.0~rc1+dfsg-2
1:29.0~rc2+dfsg-1
1:29.0~rc3+dfsg-1
1:29.0~rc3+dfsg-2
1:29.0~rc3+dfsg-3
1:29.0~rc3+dfsg-4
1:29.0+dfsg-1
1:29.0+dfsg-2
1:29.0.1+dfsg-1
1:29.0.2+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48860.json"

Debian:12 / erlang

Package

Name
erlang
Purl
pkg:deb/debian/erlang?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:25.*
1:25.2.3+dfsg-1
1:25.2.3+dfsg-1+deb12u1
1:25.2.3+dfsg-1+deb12u2
1:25.2.3+dfsg-1+deb12u3
1:25.2.3+dfsg-1+deb12u4
1:25.3.2.8+dfsg-1
1:25.3.2.10+dfsg-1
1:25.3.2.10+dfsg-2
1:25.3.2.11+dfsg-1
1:25.3.2.12+dfsg-1
1:25.3.2.12+dfsg-2
1:25.3.2.12+dfsg-3
1:26.*
1:26.0~rc2+dfsg-1
1:26.0~rc3+dfsg-1
1:26.0+dfsg-1
1:26.0.1+dfsg-1
1:26.0.2+dfsg-1
1:26.1.2+dfsg-1
1:26.2.1+dfsg-1
1:26.2.4+dfsg-1
1:27.*
1:27.0~rc3+dfsg-1
1:27.0~rc3+dfsg-2
1:27.0~rc3+dfsg-3
1:27.0~rc3+dfsg-4
1:27.0+dfsg-1
1:27.0.1+dfsg-1
1:27.0.1+dfsg-2
1:27.0.1+dfsg-3
1:27.1.2+dfsg-1
1:27.2+dfsg-1
1:27.2+dfsg-2
1:27.2+dfsg-3~exp1
1:27.2.1+dfsg-1
1:27.2.1+dfsg-2
1:27.2.2+dfsg-1
1:27.2.3+dfsg-1
1:27.2.4+dfsg-1
1:27.3+dfsg-1
1:27.3.1+dfsg-1
1:27.3.2+dfsg-1
1:27.3.3+dfsg-1
1:27.3.4+dfsg-1
1:27.3.4.1+dfsg-1
1:27.3.4.3+dfsg-1
1:27.3.4.4+dfsg-1
1:27.3.4.6+dfsg-1
1:27.3.4.8+dfsg-1
1:27.3.4.9+dfsg-1
1:27.3.4.10+dfsg-1
1:27.3.4.11+dfsg-1
1:27.3.4.11+dfsg-2
1:27.3.4.11+dfsg-3
1:27.3.4.11+dfsg-4
1:27.3.4.11+dfsg-5
1:27.3.4.11+dfsg-6
1:27.3.4.11+dfsg-7
1:27.3.4.12+dfsg-1
1:28.*
1:28.0+dfsg-1
1:28.0.1+dfsg-1
1:28.0.2+dfsg-1
1:28.0.4+dfsg-1
1:28.1.1+dfsg-1
1:28.2+dfsg-1
1:28.3+dfsg-1
1:28.3.1+dfsg-1
1:29.*
1:29.0~rc1+dfsg-1
1:29.0~rc1+dfsg-2
1:29.0~rc2+dfsg-1
1:29.0~rc3+dfsg-1
1:29.0~rc3+dfsg-2
1:29.0~rc3+dfsg-3
1:29.0~rc3+dfsg-4
1:29.0+dfsg-1
1:29.0+dfsg-2
1:29.0.1+dfsg-1
1:29.0.2+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48860.json"

Debian:13 / erlang

Package

Name
erlang
Purl
pkg:deb/debian/erlang?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:27.*
1:27.3.4.1+dfsg-1
1:27.3.4.1+dfsg-1+deb13u1
1:27.3.4.1+dfsg-1+deb13u2
1:27.3.4.3+dfsg-1
1:27.3.4.4+dfsg-1
1:27.3.4.6+dfsg-1
1:27.3.4.8+dfsg-1
1:27.3.4.9+dfsg-1
1:27.3.4.10+dfsg-1
1:27.3.4.11+dfsg-1
1:27.3.4.11+dfsg-2
1:27.3.4.11+dfsg-3
1:27.3.4.11+dfsg-4
1:27.3.4.11+dfsg-5
1:27.3.4.11+dfsg-6
1:27.3.4.11+dfsg-7
1:27.3.4.12+dfsg-1
1:28.*
1:28.0+dfsg-1
1:28.0.1+dfsg-1
1:28.0.2+dfsg-1
1:28.0.4+dfsg-1
1:28.1.1+dfsg-1
1:28.2+dfsg-1
1:28.3+dfsg-1
1:28.3.1+dfsg-1
1:29.*
1:29.0~rc1+dfsg-1
1:29.0~rc1+dfsg-2
1:29.0~rc2+dfsg-1
1:29.0~rc3+dfsg-1
1:29.0~rc3+dfsg-2
1:29.0~rc3+dfsg-3
1:29.0~rc3+dfsg-4
1:29.0+dfsg-1
1:29.0+dfsg-2
1:29.0.1+dfsg-1
1:29.0.2+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48860.json"

Debian:14 / erlang

Package

Name
erlang
Purl
pkg:deb/debian/erlang?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:29.0.2+dfsg-1

Affected versions

1:27.*
1:27.3.4.1+dfsg-1
1:27.3.4.3+dfsg-1
1:27.3.4.4+dfsg-1
1:27.3.4.6+dfsg-1
1:27.3.4.8+dfsg-1
1:27.3.4.9+dfsg-1
1:27.3.4.10+dfsg-1
1:27.3.4.11+dfsg-1
1:27.3.4.11+dfsg-2
1:27.3.4.11+dfsg-3
1:27.3.4.11+dfsg-4
1:27.3.4.11+dfsg-5
1:27.3.4.11+dfsg-6
1:27.3.4.11+dfsg-7
1:27.3.4.12+dfsg-1
1:28.*
1:28.0+dfsg-1
1:28.0.1+dfsg-1
1:28.0.2+dfsg-1
1:28.0.4+dfsg-1
1:28.1.1+dfsg-1
1:28.2+dfsg-1
1:28.3+dfsg-1
1:28.3.1+dfsg-1
1:29.*
1:29.0~rc1+dfsg-1
1:29.0~rc1+dfsg-2
1:29.0~rc2+dfsg-1
1:29.0~rc3+dfsg-1
1:29.0~rc3+dfsg-2
1:29.0~rc3+dfsg-3
1:29.0~rc3+dfsg-4
1:29.0+dfsg-1
1:29.0+dfsg-2
1:29.0.1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48860.json"