Erlang/OTP 29.0.3

This release of Erlang/OTP can be built from source or installed using pre-built packages for your OS or third-party tools (such as kerl, asdf or mise).

docker run -it erlang:29.0.3
Patch Package OTP 29.0.3
Git Tag OTP-29.0.3
Date 2026-07-02
Issue Id
CVE-2026-53422
CVE-2026-54886
CVE-2026-54887
CVE-2026-54891
CVE-2026-55950
CVE-2026-55952
ERIERL-1333
GH-SA-7wp4-pc27-2vj9
GH-SA-h9pw-h5w4-h976
System OTP
Release 29
Application

common_test-1.31.1 #

The common_test-1.31.1 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20191
Related Id(s):

ERIERL-1333, PR-11230

Fixed a crash in ct_netconfc that occurred when the remote server closed the SSH connection during NETCONF subsystem negotiation.

Full runtime dependencies of common_test-1.31.1

compiler-10.0, crypto-4.5, debugger-4.1, erts-7.0, ftp-1.0, inets-6.0, kernel-11.0, observer-2.1, runtime_tools-1.8.16, sasl-2.5, snmp-5.1.2, ssh-4.0, stdlib-8.0, syntax_tools-1.7, tools-3.2, xmerl-1.3.8

compiler-10.0.2 #

The compiler-10.0.2 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20222
Related Id(s):

PR-11219

Several compiler bugs that could crash the compiler or generate incorrect code in rare circumstances have been fixed.

Full runtime dependencies of compiler-10.0.2

crypto-5.1, erts-13.0, kernel-8.4, stdlib-8.0

crypto-5.9.1 #

The crypto-5.9.1 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20215
Related Id(s):

PR-11302

crypto:compute_key/4 for eddh and crypto:generate_key/2,3 for eddh/eddsa now raise an error:{notsup, Info, Description} exception instead of returning the atom notsup when the underlying cryptolib lacks support.

Full runtime dependencies of crypto-5.9.1

erts-9.0, kernel-6.0, stdlib-3.9

dialyzer-6.0.2 #

The dialyzer-6.0.2 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20201

Fix a bug with native record sets in erl_types.erl

Full runtime dependencies of dialyzer-6.0.2

compiler-10.0, erts-12.0, kernel-8.0, stdlib-5.0, syntax_tools-2.0

erts-17.0.3 #

The erts-17.0.3 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20185
Related Id(s):

PR-11215

Fixed an undefined behavior in the internal erts_qsort() function, which could have been the cause of a beam crash seen when updating large maps.

OTP-20208
Related Id(s):

PR-11269

Calculating bxor of the largest supported positive integer (erlang:system_info(max_integer)) and -1 would return [] instead of a raising a system_limit exception.

OTP-20217
Related Id(s):

PR-11283

Fix possible race between ets:delete/1 and terminating process with a fixation on the same table.

OTP-20226
Related Id(s):

PR-11299

A few code generation issues for the JIT on AArch64 (ARM64) have been fixed.

For all platforms, the loader will reject some invalid BEAM files earlier.

OTP-20227
Related Id(s):

PR-11289

On 32-bit computers, the md5 BIFs would return an incorrect MD5 checksum for data of size 4GiB or more.

Full runtime dependencies of erts-17.0.3

kernel-9.0, sasl-3.3, stdlib-4.1

kernel-11.0.3 #

The kernel-11.0.3 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20173

inet:info/1 could crash when calling for a closing (port) socket.

OTP-20199
Related Id(s):

PR-11247

Handling of the truncation bit in inet_res has been fixed so it properly falls back to querying over TCP after a truncated UDP reply.

This fixes a bug introduced in OTP-28.4.2 - kernel-10.6.2 making a truncated UDP answer fail to parse and never execute the fallback, instead the name resolve operation fails.

Full runtime dependencies of kernel-11.0.3

crypto-5.8, erts-17.0, sasl-3.0, stdlib-8.0

public_key-1.21.3 #

The public_key-1.21.3 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20197
Related Id(s):

PR-11239

Hardened OCSP response verification by using constant-time hash comparisons and rejecting responses exceeding 100 KB before ASN.1 decoding.

Full runtime dependencies of public_key-1.21.3

asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0

ssh-6.0.2 #

The ssh-6.0.2 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20183
Related Id(s):

GH-SA-h9pw-h5w4-h976, PR-11294, CVE-2026-53422

Fixed a path-existence oracle in the SFTP server where SSH_FXP_REALPATH requests with .. components could bypass the configured root directory isolation, allowing an authenticated client to determine whether arbitrary paths exist on the host filesystem.

OTP-20186
Related Id(s):

GH-SA-7wp4-pc27-2vj9, PR-11295, CVE-2026-54886

Fixed an infinite loop in the SFTP server triggered when receiving SSH_MSG_CHANNEL_EXTENDED_DATA on an SFTP channel, which caused the channel process to spin indefinitely on CPU without consuming its message queue.

OTP-20196
Related Id(s):

PR-11209

Fixed mlkem768x25519 hybrid key exchange failing intermittently with “incorrect signature” when the X25519 shared secret had a leading zero byte. The shared secret is now encoded as a fixed-width 32-byte string per the specification.

OTP-20198
Related Id(s):

PR-11244

Fixed a race condition where SSH keepalive responses could be matched to unrelated pending requests due to incorrect request queue ordering. Requests are now matched in the order they were sent.

OTP-20200
Related Id(s):

PR-11259

The SFTP server now caps the read length in SSH_FXP_READ requests to 255 KiB (matching OpenSSH’s SFTP_MAX_READ_LENGTH), preventing excessive memory allocation when clients request large reads.

OTP-20206
Related Id(s):

PR-11268

Removed a server-side workaround (OTP-14827, introduced in OTP 20) that accepted SHA-1 user-auth signatures from clients identifying as OpenSSH 7.x when rsa-sha2-* was negotiated. The workaround addressed a distro-specific build issue in 2017 that no longer exists. Clients affected by this removal (extremely unlikely — requires a 10-year-old unpatched OpenSSH build) will see authentication failures and must upgrade.

Full runtime dependencies of ssh-6.0.2

crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-8.0

ssl-11.7.3 #

Note! The ssl-11.7.3 application cannot be applied independently of other applications on an arbitrary OTP 29 installation.

   On a full OTP 29 installation, also the following runtime
   dependency has to be satisfied:
   -- public_key-1.21.1 (first satisfied in OTP 29.0.1)
OTP-20190
Related Id(s):

PR-11250

Correct small behavior bugs that occasionally could cause DTLS connection errors, unwanted behavior for legacy DHE_DSS, hiding of a distribution config error, and possible unorderly process tree shutdown.

OTP-20194
Related Id(s):

PR-11271, CVE-2026-54887

Initialize DTLS cookie to random value to avoid DoS attack with forged cookie during startup window.

OTP-20207
Related Id(s):

PR-11270, CVE-2026-54891

Guard TLS client for MITM injection of application data during “plain-text-window” during handshake.

OTP-20216
Related Id(s):

PR-11282, CVE-2026-55952

Improve error handling of TLS PSK sending ILLIGAL_PARMETER alert if binders and PSK-identities are not matched. Also mend recovery mechanism of ticket and session stores to be as resilient as possible to intermediate bugs.

OTP-20220
Related Id(s):

PR-11306, CVE-2026-55950

Fix race condition that could be used to DoS attack DTLS servers.

OTP-20230
Related Id(s):

PR-11307

A TLS-1.3 stateless session ticket with obfuscated_ticket_age set to zero was incorrectly accepted without checking the server-side ticket lifetime or the RFC 8446 Section 8.3 freshness window. The server now always validates ticket age using its own timestamp regardless of the client-reported age value.

OTP-20231
Related Id(s):

PR-11309

TLS-1.3 client rejects a second HelloRetryRequest as requiered in RFC 8446 Section 4.1.4

OTP-20232
Related Id(s):

PR-11311

A busy client node could self-trigger a ticket store crash if unlucky with scheduling if auto mode is used.

OTP-20233
Related Id(s):

PR-11281

Correct spec for CRL API

Full runtime dependencies of ssl-11.7.3

crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.21.1, runtime_tools-1.15.1, stdlib-7.0

stdlib-8.0.2 #

The stdlib-8.0.2 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20222
Related Id(s):

PR-11219

Several compiler bugs that could crash the compiler or generate incorrect code in rare circumstances have been fixed.

Full runtime dependencies of stdlib-8.0.2

compiler-5.0, crypto-4.5, erts-16.0.3, kernel-11.0, sasl-3.0, syntax_tools-3.2.1

Thanks To #

Cole Christensen, Nick Krichevsky, Stefan Grundmann