CVE-2026-49759: Erlang OTP SCTP DoS Vulnerability

CVE-2026-49759 Overview

CVE-2026-49759 is a stack-based buffer overflow [CWE-121] in the Erlang/OTP runtime system (erts), specifically in the inet_drv networking driver. The flaw resides in sctp_parse_error_chunk within erts/emulator/drivers/common/inet_drv.c. An unauthenticated remote attacker who can establish a Stream Control Transmission Protocol (SCTP) association to a listening port can send a single crafted SCTP ERROR chunk to crash the Erlang BEAM virtual machine. The vulnerability affects OTP releases from 17.0 up to (but not including) 27.3.4.13, 28.5.0.2, and 29.0.2.

Critical Impact

A remote, unauthenticated attacker can crash the BEAM VM by sending one crafted SCTP ERROR chunk, causing denial of service for any Erlang application listening on SCTP.

Affected Products

• Erlang/OTP from 17.0 before 27.3.4.13
• Erlang/OTP 28.x before 28.5.0.2
• Erlang/OTP 29.x before 29.0.2 (erts 6.0 before 15.2.7.9, 16.4.0.2, and 17.0.2)

Discovery Timeline

• 2026-06-10 - CVE-2026-49759 published to NVD
• 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-49759

Vulnerability Analysis

The vulnerability lives in sctp_parse_error_chunk, the function responsible for parsing SCTP ERROR chunks within the inet_drv driver. The function writes cause codes into a fixed-size, stack-allocated ErlDrvTermData spec[] array without enforcing bounds on the number of entries written. When an attacker sends an ERROR chunk containing more cause codes than the static buffer can hold, the write overflows the stack frame.

The overflow is constrained. The driver writes 16-bit values interleaved with a fixed tag, so an attacker cannot place a controlled return address or arbitrary gadget pointer on the stack. The practical outcome is corruption of adjacent stack memory and a crash of the BEAM VM, which terminates every Erlang process running in that VM instance.

A secondary issue exists in the same code path. A crafted ERROR chunk can leak fragments of Erlang VM memory back into the error packet observed by the Erlang process consuming the SCTP messages. The leaked memory is already accessible to the user running the VM, so the disclosure boundary is limited to that trust domain.

Root Cause

The root cause is a missing bounds check before writing parsed cause codes into the fixed-size spec[] array on the stack. The parser trusts attacker-controlled length and count fields embedded in the SCTP ERROR chunk.

Attack Vector

Exploitation requires an established SCTP association to a port where an Erlang application has opened an SCTP socket via gen_sctp. No authentication or user interaction is required at the protocol level. Any Erlang service exposing SCTP over the network is reachable.

The exploit primitive is limited to denial of service plus a small, bounded information leak. Remote code execution is not feasible given the structure of the writes performed by sctp_parse_error_chunk.

Detection Methods for CVE-2026-49759

Indicators of Compromise

• Unexpected BEAM VM crashes or restarts on hosts exposing SCTP listeners (gen_sctp)
• erl_crash.dump files referencing inet_drv or sctp_parse_error_chunk frames
• Inbound SCTP ERROR chunks from unexpected peers or with abnormally large cause-code payloads
• Repeated short-lived SCTP associations followed by service restarts

Detection Strategies

• Inspect packet captures for SCTP chunk type 9 (ERROR) carrying an unusual number of cause parameters.
• Monitor process supervisors (systemd, relx, heart) for repeated BEAM restart events correlated with SCTP traffic.
• Alert on the creation of erl_crash.dump files on production hosts running Erlang/OTP versions in the affected range.

Monitoring Recommendations

• Track Erlang/OTP and erts versions across the fleet and flag any host below 27.3.4.13, 28.5.0.2, or 29.0.2.
• Log all SCTP association attempts and source addresses at perimeter firewalls and stateful packet inspection devices.
• Forward BEAM crash telemetry and host logs into a centralized data lake or SIEM to correlate crashes with inbound SCTP activity.

How to Mitigate CVE-2026-49759

Immediate Actions Required

• Upgrade Erlang/OTP to 27.3.4.13, 28.5.0.2, or 29.0.2 depending on the major release in use.
• Inventory all applications that call gen_sctp:open/1,2 or otherwise bind SCTP sockets and prioritize them for patching.
• Restrict SCTP exposure at the network layer to known peers using firewall ACLs.

Patch Information

The fix is published in the official Erlang/OTP commit 3983d49 and documented in the GHSA-6f4f-chj5-5g97 advisory. Additional vendor context is available in the Erlang Ecosystem Foundation CNA notice and the OSV record EEF-CVE-2026-49759. Refer to the Erlang version ordering documentation when selecting an upgrade target.

Workarounds

• Disable SCTP listeners in applications that do not strictly require the protocol until the patch is applied.
• Block inbound SCTP (IP protocol 132) from untrusted networks at the firewall.
• Place affected services behind a network filter that drops malformed SCTP ERROR chunks or limits chunk size.
• Run BEAM under a supervisor that rate-limits restarts to prevent crash-loop amplification by an attacker.