EEF-CVE-2026-49760

Source
https://cna.erlef.org/osv/EEF-CVE-2026-49760.html
Import Source
https://cna.erlef.org/osv/EEF-CVE-2026-49760.json
JSON Data
https://api.osv.dev/v1/vulns/EEF-CVE-2026-49760
Aliases
Published
2026-06-10T14:35:36.804Z
Modified
2026-06-11T08:03:18.321633Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Stack Buffer Overflow in ei_s_print_term at Very Large Integer
Details

Summary

Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.

This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term.

The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service.

The companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug.

This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.

Workaround

Avoid calling ei_s_print_term with untrusted data whose encoded integer representation could exceed 2000 characters.

Database specific
{
    "cwe_ids": [
        "CWE-121"
    ],
    "capec_ids": [
        "CAPEC-8"
    ],
    "cpe_ids": [
        "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
    ]
}
References
Credits
    • Jonatan Männchen / EEF - FINDER
    • Sverker Eriksson - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/erlang/otp

Affected ranges

Type
GIT
Repo
https://github.com/erlang/otp
Events

Affected versions

OTP-17.*
OTP-17.0
OTP-18.*
OTP-18.0
OTP-18.0-rc1
OTP-19.*
OTP-19.0
OTP-19.0-rc1
OTP-19.0-rc2
OTP-20.*
OTP-20.0
OTP-20.0-rc1
OTP-20.0-rc2
OTP-21.*
OTP-21.0
OTP-21.0-rc1
OTP-21.0-rc2
OTP-22.*
OTP-22.0
OTP-22.0-rc1
OTP-22.0-rc2
OTP-22.0-rc3
OTP-23.*
OTP-23.0
OTP-23.0-rc1
OTP-23.0-rc2
OTP-23.0-rc3
OTP-24.*
OTP-24.0
OTP-24.0-rc1
OTP-24.0-rc2
OTP-24.0-rc3
OTP-25.*
OTP-25.0
OTP-25.0-rc1
OTP-25.0-rc2
OTP-25.0-rc3
OTP-26.*
OTP-26.0
OTP-26.0-rc1
OTP-26.0-rc2
OTP-26.0-rc3
OTP-26.1
OTP-26.2
OTP-26.2.3
OTP-26.2.4
OTP-26.2.5
OTP_17.*
OTP_17.0-rc1
OTP_17.0-rc2
Other
OTP_R13B03
OTP_R13B04
OTP_R14A
OTP_R14B
OTP_R14B01
OTP_R14B02
OTP_R14B03
OTP_R15A
OTP_R15B
OTP_R16A_RELEASE_CANDIDATE
OTP_R16B
patch-base-26

Database specific

vanir_signatures_modified
"2026-06-11T08:03:18Z"
source
"https://cna.erlef.org/osv/EEF-CVE-2026-49760.json"
vanir_signatures
[
    {
        "id": "EEF-CVE-2026-49760-022411e5",
        "digest": {
            "function_hash": "193368618758297330893065608929158335242",
            "length": 186.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
        "deprecated": false,
        "target": {
            "function": "xputs",
            "file": "lib/erl_interface/src/misc/ei_printterm.c"
        }
    },
    {
        "id": "EEF-CVE-2026-49760-050c4019",
        "digest": {
            "line_hashes": [
                "129987449935442626922576360273010985950",
                "182628357533292467603230335496893584182",
                "84974574094128217425849947334958450591",
                "303204613610604044333794037154847545087",
                "205505750195805099599079314046653074886",
                "242411142061672716631652253432456926320",
                "34229576740430111543674439228487913588",
                "206948010257539244208078656576434751129",
                "299580921524496072993945454093677126032",
                "124508628327946877418788548966952760392",
                "36321982408223680249605131387021290611",
                "244093350943159726189524618619533006355",
                "128472681028884791199717162918156810034",
                "48089500669397162200594149588556148739",
                "327409299815393523873394638738727266457",
                "222125189150859468688246895535557614247",
                "160518933820097368485581825050040697410",
                "74763268382742076537110950297602582020"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
        "deprecated": false,
        "target": {
            "file": "lib/erl_interface/src/misc/ei_printterm.c"
        }
    },
    {
        "id": "EEF-CVE-2026-49760-5c3d14ea",
        "digest": {
            "function_hash": "20126977231981737495608613980381006874",
            "length": 355.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
        "deprecated": false,
        "target": {
            "function": "xprintf",
            "file": "lib/erl_interface/src/misc/ei_printterm.c"
        }
    },
    {
        "id": "EEF-CVE-2026-49760-61f1ec93",
        "digest": {
            "function_hash": "248798747059463741358854413735715547791",
            "length": 6224.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
        "deprecated": false,
        "target": {
            "function": "print_term",
            "file": "lib/erl_interface/src/misc/ei_printterm.c"
        }
    },
    {
        "id": "EEF-CVE-2026-49760-626a3fb8",
        "digest": {
            "function_hash": "257318524130605958237752132322241258155",
            "length": 771.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
        "deprecated": false,
        "target": {
            "function": "send_printed_buf",
            "file": "lib/erl_interface/test/ei_print_SUITE_data/ei_print_test.c"
        }
    },
    {
        "id": "EEF-CVE-2026-49760-b0b91ab0",
        "digest": {
            "line_hashes": [
                "264093821237804837996415942465318863659",
                "10424607488912900977757057427559227229",
                "218318064356773586102645165312208352557",
                "71546891966718475353985029582207272855",
                "189936519407021833390469519939506059547",
                "198264497833074430851461912828825666618",
                "270754654748745929540968422776954156395",
                "180603470982765993879983251533839877765",
                "214801972202090556207145028581013595147",
                "277430019812868477916019892760205087535",
                "118908469996054890492759544605081118760",
                "26330492287504809149405060904030128303",
                "360159136364441462841237574318458360",
                "131442704667594904828977963152148302858",
                "329851795378938511090137206008449770983",
                "178423773278323329577470179964423923363",
                "221256189197817541730556399113524709619",
                "42519436959816468196649549280584202425",
                "12786333625252033611733634326801589262",
                "190912576496919874105935446397243018492",
                "105145191943495785581530336704990414754",
                "48877447683709588715041790956971934178",
                "59253891848884251319204915152001355112",
                "148581509704816979468765201139810176747",
                "268372373344873455942867287554750212163",
                "273948230403692249289307622996310571929",
                "134965975837835266064335129159271436049",
                "273479961572098031058391051095752582635"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
        "deprecated": false,
        "target": {
            "file": "lib/erl_interface/test/ei_print_SUITE_data/ei_print_test.c"
        }
    }
]