Erlang/OTP 28.0.3

This release of Erlang/OTP can be built from source or installed using pre-built packages for your OS or third-party tools (such as kerl, asdf or mise).

docker run -it erlang:28.0.3
Erlang/OTP 28.0.3
View on github.com
Patch Package OTP 28.0.3
Git Tag OTP-28.0.3
Date 2025-09-10
Issue Id
CVE-2025-48038
CVE-2025-48039
CVE-2025-48040
CVE-2025-48041
CVE-2025-58050
System OTP
Release 28
Application
Potential Incompatibilities

Potential Incompatibilities #

OTP-19701
Application(s):
ssh
Related Id(s):

PR-10157, CVE-2025-48041

Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).

OTP-19741
Application(s):
ssh
Related Id(s):

PR-10162, CVE-2025-48040

Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.

OTP-19742
Application(s):
ssh
Related Id(s):

PR-10155, CVE-2025-48039

A new ‘max_path’ option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.

OTP-19748
Application(s):
ssh
Related Id(s):

PR-10156, CVE-2025-48038

Reject file handles exceeding size specified in RFCs (256 bytes).

diameter-2.5.1 #

The diameter-2.5.1 application can be applied independently of other applications on a full OTP 28 installation.

OTP-19753
Related Id(s):

PR-9815

With this change message_cb callback will be called with updated state for processing ‘ack’ after ‘send’.

Full runtime dependencies of diameter-2.5.1

erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0

erts-16.0.3 #

The erts-16.0.3 application can be applied independently of other applications on a full OTP 28 installation.

OTP-19755
Related Id(s):

CVE-2025-58050

Update PCRE2 from 10.45 to 10.46. Fixes potential buffer read overflow on regular expressions with (*scs:) and (*ACCEPT) syntax combined.

OTP-19761
Related Id(s):

PR-19755

Fixed bug that could cause crash in beam started with erl -emu_type debug +JPperf true with any type of tracing return from function.

Full runtime dependencies of erts-16.0.3

kernel-9.0, sasl-3.3, stdlib-4.1

ssh-5.3.3 #

The ssh-5.3.3 application can be applied independently of other applications on a full OTP 28 installation.

OTP-19701
POTENTIAL INCOMPATIBILITY
 

Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).

OTP-19741
POTENTIAL INCOMPATIBILITY
 

Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.

OTP-19742
POTENTIAL INCOMPATIBILITY
 

A new ‘max_path’ option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.

OTP-19748
POTENTIAL INCOMPATIBILITY
 

Reject file handles exceeding size specified in RFCs (256 bytes).

Full runtime dependencies of ssh-5.3.3

crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

stdlib-7.0.3 #

Note! The stdlib-7.0.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- erts-16.0.3 (first satisfied in OTP 28.0.3)
OTP-19755
Related Id(s):

CVE-2025-58050

Update PCRE2 from 10.45 to 10.46. Fixes potential buffer read overflow on regular expressions with (*scs:) and (*ACCEPT) syntax combined.

Full runtime dependencies of stdlib-7.0.3

compiler-5.0, crypto-4.5, erts-16.0.3, kernel-10.0, sasl-3.0, syntax_tools-3.2.1

Thanks To #

Alberto Sartori