CVE-2026-49760: Erlang OTP erl_interface DoS Vulnerability

CVE-2026-49760 Overview

CVE-2026-49760 is a stack-based buffer overflow [CWE-121] in the Erlang OTP erl_interface library. The flaw resides in the ei_s_print_term function defined in lib/erl_interface/src/misc/ei_printterm.c. The function uses a fixed 2000-character stack buffer to format encoded Erlang terms. When the function processes an encoded term containing a very large integer whose textual representation exceeds 2000 characters, it writes past the buffer boundary.

The overflow bytes are constrained to ASCII characters 0-9 and A-F, which prevents arbitrary code execution and limits impact to denial of service. The companion routine ei_print_term, which writes to a FILE stream rather than a memory buffer, is not affected.

Critical Impact

Local attackers who can supply crafted encoded Erlang terms to applications calling ei_s_print_term can corrupt the stack and crash the process, causing denial of service in Erlang/OTP-based systems.

Affected Products

• Erlang/OTP from 17.0 before 27.3.4.13
• Erlang/OTP 28.0 through versions before 28.5.0.2
• Erlang/OTP 29.0 before 29.0.2 (corresponding erl_interface 3.7.16 through versions before 5.5.2.1, 5.7.0.1, and 5.8.1)

Discovery Timeline

• 2026-06-10 - CVE-2026-49760 published to NVD
• 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-49760

Vulnerability Analysis

The ei_s_print_term function formats decoded Erlang term representations into a caller-provided memory buffer. Internally, the implementation relies on a helper that writes formatted output through xputs and xprintf into either a FILE* or an ei_x_buff*. The implementation allocates a 2000-byte stack buffer to assemble term components before appending them to the output buffer.

Erlang's external term format permits arbitrary-precision integers (SMALL_BIG_EXT and LARGE_BIG_EXT). When such a term contains a bignum whose hexadecimal representation exceeds 2000 characters, the stack buffer cannot hold the resulting string and adjacent stack memory is overwritten. Because the corrupted bytes are limited to hexadecimal digits, the attacker cannot inject arbitrary opcodes or pointers, restricting exploitation to crashing the host process.

Root Cause

The root cause is a missing bounds check on the size of formatted output relative to the fixed-size stack buffer in ei_s_print_term. The function trusts that any encoded term will fit within the 2000-character working area, which is not guaranteed for large bignums.

Attack Vector

Exploitation requires local access and the ability to deliver a crafted encoded Erlang term to a process linked against erl_interface that invokes ei_s_print_term. Any C application using erl_interface to render terms received from external sources, including distributed Erlang nodes or untrusted clients, is exposed. Successful exploitation results in process termination.

// Security patch in lib/erl_interface/src/misc/ei_printterm.c
// erl_interface: Fix stack overflow in ei_s_print_term
 	ei_x_append_buf(x, &c, 1);
 }
 
-static void xputs(const char* s, FILE* fp, ei_x_buff* x)
+static int xputs(const char* s, FILE* fp, ei_x_buff* x)
 {
+    const int slen = strlen(s);
+
     if (fp != NULL)
 	fputs(s, fp);
     else
-	ei_x_append_buf(x, s, strlen(s));
+        ei_x_append_buf(x, s, slen);
+    return slen;
 }
 
 static int xprintf(FILE* fp, ei_x_buff* x, const char* fmt, ...)

Source: GitHub Commit 0bef277b. The patch refactors xputs to return the number of bytes written and threads length tracking through the formatting helpers so that callers can enforce the 2000-byte boundary.

Detection Methods for CVE-2026-49760

Indicators of Compromise

• Unexpected SIGSEGV or stack smashing termination in processes linking libei or liberl_interface.
• Core dumps where the crashing frame is inside ei_s_print_term or xputs/xprintf helpers.
• Receipt of encoded Erlang terms containing bignums whose decoded hex length exceeds 2000 bytes from untrusted peers.

Detection Strategies

• Inventory binaries and packages that statically or dynamically link erl_interface and map them to installed Erlang/OTP versions.
• Add coverage in fuzz harnesses for ei_s_print_term using oversized SMALL_BIG_EXT and LARGE_BIG_EXT inputs.
• Monitor distributed Erlang traffic and external term decoders for messages exceeding expected term size thresholds.

Monitoring Recommendations

• Enable stack canary protections (-fstack-protector-strong) and log abnormal terminations from Erlang-linked daemons.
• Aggregate process crash telemetry from production Erlang nodes into a centralized analytics pipeline for trend analysis.
• Alert on repeated short-lived crashes of services using erl_interface, which can indicate active exploitation attempts.

How to Mitigate CVE-2026-49760

Immediate Actions Required

• Upgrade Erlang/OTP to 27.3.4.13, 28.5.0.2, or 29.0.2 (or later) as appropriate for the deployed branch.
• Rebuild and redeploy any C/C++ applications that statically link erl_interface against the patched library.
• Restrict who can send encoded Erlang terms to processes calling ei_s_print_term until patches are applied.

Patch Information

The fix is published in the GitHub Security Advisory GHSA-xcxj-5pg2-v72j and tracked in the OSV Vulnerability Report EEF-CVE-2026-49760. The code change in GitHub commit 0bef277b adds length tracking to xputs and enforces the 2000-byte limit. Refer to the CNA CVE-2026-49760 Evaluation and Erlang Versioning Documentation to map fixed versions to the correct OTP branch.

Workarounds

• Replace calls to ei_s_print_term with ei_print_term, which writes to a FILE stream and is not affected.
• Validate incoming encoded Erlang terms and reject any containing bignums whose decoded length exceeds a safe threshold before calling ei_s_print_term.
• Run vulnerable services under process supervision with automatic restart and resource limits to contain DoS impact until patching completes.

# Verify installed Erlang/OTP and erl_interface versions
erl -eval 'erlang:display(erlang:system_info(otp_release)), halt().' -noshell
find / -name 'libei*.so*' -o -name 'liberl_interface*.a' 2>/dev/null \
  | xargs -I{} sh -c 'echo {}; strings {} | grep -E "erl_interface|ei_" | head -5'

# Example: pin patched OTP version via package manager
apt-get install --only-upgrade erlang-base=1:27.3.4.13-1