Erlang/OTP 26.2.5.15

This release of Erlang/OTP can be built from source or installed using pre-built packages for your OS or third-party tools (such as kerl, asdf or mise).

docker run -it erlang:26.2.5.15
Erlang/OTP 26.2.5.15
View on github.com
Patch Package OTP 26.2.5.15
Git Tag OTP-26.2.5.15
Date 2025-09-10
Issue Id
CVE-2025-48038
CVE-2025-48039
CVE-2025-48040
CVE-2025-48041
System OTP
Release 26
Application
Potential Incompatibilities

Potential Incompatibilities #

OTP-19701
Application(s):
ssh
Related Id(s):
PR-10157 , CVE-2025-48041

Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).

OTP-19741
Application(s):
ssh
Related Id(s):
PR-10162 , CVE-2025-48040

Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.

OTP-19742
Application(s):
ssh
Related Id(s):
PR-10155 , CVE-2025-48039

A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.

OTP-19748
Application(s):
ssh
Related Id(s):
PR-10156 , CVE-2025-48038

Reject file handles exceeding size specified in RFCs (256 bytes).

inets-9.1.0.3 #

The inets-9.1.0.3 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19729
Application(s):
inets
Related Id(s):
GH-3392 , PR-6223

Fixed a bug where a request sent to httpd server which is using CGI script to generate a response, would pollute server's environment variable - HTTP_PROXY for that request. This bug is also known as httpoxy. More information: CVE-2016-1000107

OTP-19760
Application(s):
inets
Related Id(s):
GH-10065 , PR-10120

Fixed a RFC 2616 violation, where a http request, made by httpc, without providing any options, would be sent with an empty TE header, without also having a TE value in the connection header. Now the default request doesn't send a TE header at all.

Full runtime dependencies of inets-9.1.0.3: erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-5.0

ssh-5.1.4.12 #

The ssh-5.1.4.12 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19701
Application(s):
ssh
Related Id(s):
PR-10157 , CVE-2025-48041

*** POTENTIAL INCOMPATIBILITY ***

Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).

OTP-19741
Application(s):
ssh
Related Id(s):
PR-10162 , CVE-2025-48040

*** POTENTIAL INCOMPATIBILITY ***

Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.

OTP-19742
Application(s):
ssh
Related Id(s):
PR-10155 , CVE-2025-48039

*** POTENTIAL INCOMPATIBILITY ***

A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.

OTP-19748
Application(s):
ssh
Related Id(s):
PR-10156 , CVE-2025-48038

*** POTENTIAL INCOMPATIBILITY ***

Reject file handles exceeding size specified in RFCs (256 bytes).

Full runtime dependencies of ssh-5.1.4.12: crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-5.0

Thanks To #

Marcel Lanz, Savvas Nicholas