Erlang/OTP 27.3.4.9

This release of Erlang/OTP can be built from source or installed using pre-built packages for your OS or third-party tools (such as kerl, asdf or mise).

docker run -it erlang:27.3.4.9
Erlang/OTP 27.3.4.9
View on github.com
Patch Package OTP 27.3.4.9
Git Tag OTP-27.3.4.9
Date 2026-03-12
Issue Id
CVE-2026-23941
CVE-2026-23942
CVE-2026-23943
ERIERL-1305
System OTP
Release 27
Application

inets-9.3.2.3 #

The inets-9.3.2.3 application can be applied independently of other applications on a full OTP 27 installation.

OTP-20007
Related Id(s):

PR-10833, CVE-2026-23941

The httpd server now rejects HTTP requests containing multiple Content-Length headers with different values, returning a 400 Bad Request response. This prevents potential HTTP request smuggling attacks. Thanks Luigino Camastra at Aisle Research for responsibly disclosing this vulnerability

Full runtime dependencies of inets-9.3.2.3

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

ssh-5.2.11.6 #

The ssh-5.2.11.6 application can be applied independently of other applications on a full OTP 27 installation.

OTP-20009
Related Id(s):

PR-10811, CVE-2026-23942

Fixed path traversal vulnerability in SFTP server’s root option allowing authenticated users to access sibling directories with matching name prefixes. The root option used string prefix matching instead of path component validation. With {root, “/home/user1”}, attackers could access /home/user10/ or /home/user123/. Thanks to Luigino Camastra, Aisle Research.

OTP-20011
Related Id(s):

PR-10813, CVE-2026-23943

Fixed excessive memory usage vulnerability in SSH compression allowing attackers to consume system resources through decompression bombs. The ‘zlib’ and ‘zlib@openssh.com’ algorithms lacked decompression size limits, allowing 256 KB packets to expand to 255 MB (1029:1 ratio). This could lead to crashes on systems with limited memory.

The fix removes zlib from default compression algorithms and implements decompression size limits for both algorithms. Thanks to Igor Morgenstern at Aisle Research

Full runtime dependencies of ssh-5.2.11.6

crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

ssl-11.2.12.6 #

Note! The ssl-11.2.12.6 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.

   On a full OTP 27 installation, also the following runtime
   dependency has to be satisfied:
   -- public_key-1.16.4 (first satisfied in OTP 27.1.3)
OTP-19990
Related Id(s):

GH-10698, PR-10723

The NSS Keylogging refactoring mixed up of Read and Write connection states, could cause wrong NSS keylog labels, or {error, closed} returned without keylog.

OTP-20022
Related Id(s):

ERIERL-1305, GH-10694, PR-10707

TLS-1.3 certificate request now preserves the order of signature algorithms in certificate request extension to be in the servers preferred order, which might affect the choice made by some TLS clients.

Full runtime dependencies of ssl-11.2.12.6

crypto-5.0, erts-15.0, inets-5.10.7, kernel-9.0, public_key-1.16.4, runtime_tools-1.15.1, stdlib-6.0

Thanks To #

Hewwho