Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.
This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term.
The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service.
The companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug.
This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.
Avoid calling ei_s_print_term with untrusted data whose encoded integer representation could exceed 2000 characters.
{
"cwe_ids": [
"CWE-121"
],
"capec_ids": [
"CAPEC-8"
],
"cpe_ids": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
]
}"2026-06-11T08:03:18Z"
"https://cna.erlef.org/osv/EEF-CVE-2026-49760.json"
[
{
"id": "EEF-CVE-2026-49760-022411e5",
"digest": {
"function_hash": "193368618758297330893065608929158335242",
"length": 186.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
"deprecated": false,
"target": {
"function": "xputs",
"file": "lib/erl_interface/src/misc/ei_printterm.c"
}
},
{
"id": "EEF-CVE-2026-49760-050c4019",
"digest": {
"line_hashes": [
"129987449935442626922576360273010985950",
"182628357533292467603230335496893584182",
"84974574094128217425849947334958450591",
"303204613610604044333794037154847545087",
"205505750195805099599079314046653074886",
"242411142061672716631652253432456926320",
"34229576740430111543674439228487913588",
"206948010257539244208078656576434751129",
"299580921524496072993945454093677126032",
"124508628327946877418788548966952760392",
"36321982408223680249605131387021290611",
"244093350943159726189524618619533006355",
"128472681028884791199717162918156810034",
"48089500669397162200594149588556148739",
"327409299815393523873394638738727266457",
"222125189150859468688246895535557614247",
"160518933820097368485581825050040697410",
"74763268382742076537110950297602582020"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
"deprecated": false,
"target": {
"file": "lib/erl_interface/src/misc/ei_printterm.c"
}
},
{
"id": "EEF-CVE-2026-49760-5c3d14ea",
"digest": {
"function_hash": "20126977231981737495608613980381006874",
"length": 355.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
"deprecated": false,
"target": {
"function": "xprintf",
"file": "lib/erl_interface/src/misc/ei_printterm.c"
}
},
{
"id": "EEF-CVE-2026-49760-61f1ec93",
"digest": {
"function_hash": "248798747059463741358854413735715547791",
"length": 6224.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
"deprecated": false,
"target": {
"function": "print_term",
"file": "lib/erl_interface/src/misc/ei_printterm.c"
}
},
{
"id": "EEF-CVE-2026-49760-626a3fb8",
"digest": {
"function_hash": "257318524130605958237752132322241258155",
"length": 771.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
"deprecated": false,
"target": {
"function": "send_printed_buf",
"file": "lib/erl_interface/test/ei_print_SUITE_data/ei_print_test.c"
}
},
{
"id": "EEF-CVE-2026-49760-b0b91ab0",
"digest": {
"line_hashes": [
"264093821237804837996415942465318863659",
"10424607488912900977757057427559227229",
"218318064356773586102645165312208352557",
"71546891966718475353985029582207272855",
"189936519407021833390469519939506059547",
"198264497833074430851461912828825666618",
"270754654748745929540968422776954156395",
"180603470982765993879983251533839877765",
"214801972202090556207145028581013595147",
"277430019812868477916019892760205087535",
"118908469996054890492759544605081118760",
"26330492287504809149405060904030128303",
"360159136364441462841237574318458360",
"131442704667594904828977963152148302858",
"329851795378938511090137206008449770983",
"178423773278323329577470179964423923363",
"221256189197817541730556399113524709619",
"42519436959816468196649549280584202425",
"12786333625252033611733634326801589262",
"190912576496919874105935446397243018492",
"105145191943495785581530336704990414754",
"48877447683709588715041790956971934178",
"59253891848884251319204915152001355112",
"148581509704816979468765201139810176747",
"268372373344873455942867287554750212163",
"273948230403692249289307622996310571929",
"134965975837835266064335129159271436049",
"273479961572098031058391051095752582635"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
"deprecated": false,
"target": {
"file": "lib/erl_interface/test/ei_print_SUITE_data/ei_print_test.c"
}
}
]