Erlang/OTP 26.2.5.17

This release of Erlang/OTP can be built from source or installed using pre-built packages for your OS or third-party tools (such as kerl, asdf or mise).

docker run -it erlang:26.2.5.17
Erlang/OTP 26.2.5.17
View on github.com
Patch Package OTP 26.2.5.17
Git Tag OTP-26.2.5.17
Date 2026-02-20
Issue Id
CVE-2026-21620
System OTP
Release 26
Application

compiler-8.4.3.4 #

The compiler-8.4.3.4 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19845
Application(s):
compiler
Related Id(s):
GH-10354 , PR-10358

Fixed broken type inference for lists:mapfoldl/r.

Full runtime dependencies of compiler-8.4.3.4: crypto-5.1, erts-13.0, kernel-8.4, stdlib-5.0

crypto-5.4.2.4 #

The crypto-5.4.2.4 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19993
Application(s):
crypto
Related Id(s):
PR-10732

Fixed static linking of OpenSSL 3.5+ on Windows.

Full runtime dependencies of crypto-5.4.2.4: erts-9.0, kernel-5.3, stdlib-3.9

erts-14.2.5.13 #

The erts-14.2.5.13 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19926
Application(s):
erts
Related Id(s):
PR-10547

Fail the windows build properly when nsis is not recognised.

OTP-19962
Application(s):
erts, stdlib
Related Id(s):
PR-10616

Fixed bug in ets:update_counter/4 and ets:update_element/4 accepting and inserting a default tuple smaller than the keypos of the table. Such a tuple without a key element would make the table internally inconsistent and might lead to bad behavior at table access, like ERTS runtime crash.

Now a call to ets:update_counter/4 or ets:update_element/4 will fail with badarg if the key does not exist in the table and the default tuple is too small.

OTP-19978
Application(s):
erts
Related Id(s):
PR-10664

A missing memory barrier when unlocking process locks could cause unexpected behavior on architectures with weak memory ordering such as for example ARM.

Full runtime dependencies of erts-14.2.5.13: kernel-9.0, sasl-3.3, stdlib-4.1

megaco-4.5.0.1 #

The megaco-4.5.0.1 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19896
Application(s):
megaco

The megaco_tcp module had debug unintentionally enabled.

Full runtime dependencies of megaco-4.5.0.1: asn1-3.0, debugger-4.0, erts-12.0, et-1.5, kernel-8.0, runtime_tools-1.8.14, stdlib-2.5

ssl-11.1.4.11 #

The ssl-11.1.4.11 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19830
Application(s):
ssl
Related Id(s):
PR-10339

If two certificate massages are sent to the server generate an unexpected message alert for the second one.

Full runtime dependencies of ssl-11.1.4.11: crypto-5.0, erts-14.0, inets-5.10.7, kernel-9.0, public_key-1.11.3, runtime_tools-1.15.1, stdlib-4.1

stdlib-5.2.3.6 #

The stdlib-5.2.3.6 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19962
Application(s):
erts, stdlib
Related Id(s):
PR-10616

Fixed bug in ets:update_counter/4 and ets:update_element/4 accepting and inserting a default tuple smaller than the keypos of the table. Such a tuple without a key element would make the table internally inconsistent and might lead to bad behavior at table access, like ERTS runtime crash.

Now a call to ets:update_counter/4 or ets:update_element/4 will fail with badarg if the key does not exist in the table and the default tuple is too small.

OTP-19988
Application(s):
stdlib
Related Id(s):
GH-10705 , PR-10708

For a function that started with a bracket-only pattern (such as []), the ?FUNCTION_ARITY macro would evaluate to one less than the actual arity.

Full runtime dependencies of stdlib-5.2.3.6: compiler-5.0, crypto-4.5, erts-13.1, kernel-9.0, sasl-3.0

tftp-1.1.1.1 #

The tftp-1.1.1.1 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19981
Application(s):
tftp
Related Id(s):
PR-10706 , CVE-2026-21620

An issue in the undocumented initial state option [{root_dir,Dir}] to the tftp_file module has been fixed. The request file name was just concatenated to Dir so it was possible to traverse above Dir by using "../" file path components. Now the option actually restricts local file operations to the Dir directory and subdirectories.

The initial state option and how to use it was previously undocumented, so it is unlikely that anyone would have used it without understanding its peculiarities.

The documentation of the TFTP application has also been clarified to make it obvious that the default server configuration allows read and write access to all files that are readable or writable by the user running the Erlang VM, and that the default configuration therefore should be avoided.

Thanks to Luigino Camastra at Aisle Research, for finding and reporting this issue.

Full runtime dependencies of tftp-1.1.1.1: erts-6.0, kernel-6.0, stdlib-5.0

wx-2.4.1.1 #

The wx-2.4.1.1 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19843
Application(s):
wx
Related Id(s):
PR-10353

Fixed reading out of array bounds and potential memory leaks.

Full runtime dependencies of wx-2.4.1.1: erts-12.0, kernel-8.0, stdlib-5.0

Thanks To #

Daniel Hryzbil, Jan Uhlig