Erlang/OTP 28.5.0.1

This release of Erlang/OTP can be built from source or installed using pre-built packages for your OS or third-party tools (such as kerl, asdf or mise).

docker run -it erlang:28.5.0.1
Erlang/OTP 28.5.0.1
View on github.com
Patch Package OTP 28.5.0.1
Git Tag OTP-28.5.0.1
Date 2026-05-27
Issue Id
CVE-2026-42789
CVE-2026-42790
ERIERL-1314
ERIERL-1315
ERIERL-1321
System OTP
Release 28
Application
Potential Incompatibilities

Potential Incompatibilities #

OTP-20130
Application(s):
public_key, ssl
Related Id(s):

PR-11124, CVE-2026-42790

‘public_key’, Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.

‘ssl’. Error handling is slightly changed to better reflect public_key behaviour.

compiler-9.0.6.1 #

The compiler-9.0.6.1 application can be applied independently of other applications on a full OTP 28 installation.

OTP-20140
Related Id(s):

GH-11088, PR-11089

In rare circumstances, optimization of boolean expressions could invert the boolean value.

Full runtime dependencies of compiler-9.0.6.1

crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0

erts-16.4.0.1 #

The erts-16.4.0.1 application can be applied independently of other applications on a full OTP 28 installation.

OTP-20123

Fixed erlang:md5_init to always return the same deterministic context binary. Only an issue in OTP 28.5 when OTP was built with --disable-builtin-openssl or --enable-use-embedded-3pp-alternatives.

OTP-20126
Related Id(s):

PR-11067

Added explicit configure test for C++ function std::to_chars if options --disable-builtin-ryu or --enable-use-embedded-3pp-alternatives is used.

Full runtime dependencies of erts-16.4.0.1

kernel-9.0, sasl-3.3, stdlib-4.1

inets-9.6.2.1 #

The inets-9.6.2.1 application can be applied independently of other applications on a full OTP 28 installation.

OTP-20128
Related Id(s):

ERIERL-1314, PR-11079

A call to httpd:reload_config/2 now validates the new configuration before removing the old one, leaving the server running in case of faulty config, instead of putting it in an unrecoverable state.

Full runtime dependencies of inets-9.6.2.1

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

kernel-10.6.3.1 #

The kernel-10.6.3.1 application can be applied independently of other applications on a full OTP 28 installation.

OTP-20131
Related Id(s):

GH-10968, OTP-20102

Incorrect TOS format when using gen_udp with socket backend

OTP-20134
Related Id(s):

PR-11007

SCTP peeloff of an IPv6 socket, the peeled-off socket does not inherit the parent options as expected.

Full runtime dependencies of kernel-10.6.3.1

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0

public_key-1.20.3.1 #

Note! The public_key-1.20.3.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)
OTP-20112
Related Id(s):

PR-11136

OCSP responder certificates are now checked for expiration before being accepted as authorized responders. Previously, expired or not-yet-valid responder certificates were incorrectly accepted when verifying OCSP responses.

OTP-20129
Related Id(s):

PR-11123, CVE-2026-42789

Corrected basic constraint path validation check in accordance to RFC 5280.

OTP-20130
POTENTIAL INCOMPATIBILITY
 

‘public_key’, Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.

‘ssl’. Error handling is slightly changed to better reflect public_key behaviour.

Full runtime dependencies of public_key-1.20.3.1

asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0

snmp-5.20.2.1 #

The snmp-5.20.2.1 application can be applied independently of other applications on a full OTP 28 installation.

OTP-20138
Related Id(s):

ERIERL-1321, PR-11100

Fixed a bug in snmpm_usm:generate_outgoing_msg/5 that caused a badmatch crash when constructing an error response for an unknown user/engineID combination.

Full runtime dependencies of snmp-5.20.2.1

asn1-5.4, crypto-4.6, erts-12.0, kernel-8.0, mnesia-4.12, runtime_tools-1.8.14, stdlib-5.0

ssl-11.6.0.1 #

Note! The ssl-11.6.0.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependencies have to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)
   -- public_key-1.20.3.1 (first satisfied in OTP 28.5.0.1)
OTP-20116
Related Id(s):

GH-11030, PR-11062

Add missing clauses to ssl_handshake:extension_value/1. If an hello extension, missing a handling clause was present in a paused handshake, the handshake would fail.

OTP-20130
POTENTIAL INCOMPATIBILITY
 

‘public_key’, Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.

‘ssl’. Error handling is slightly changed to better reflect public_key behaviour.

OTP-20141
Related Id(s):

PR-11125

Could cause server to terminate a connection without an alert towards a bad client.

Full runtime dependencies of ssl-11.6.0.1

crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.20.3.1, runtime_tools-1.15.1, stdlib-7.0

wx-2.5.4.1 #

The wx-2.5.4.1 application can be applied independently of other applications on a full OTP 28 installation.

OTP-20119
Related Id(s):

ERIERL-1315, PR-11032

The examples for wx are now only installed in one place (in doc/examples).

Full runtime dependencies of wx-2.5.4.1

erts-12.0, kernel-8.0, stdlib-5.0

Thanks To #

Martin Hässler, Paul Guyot