Erlang/OTP 26.2.5.13

This release of Erlang/OTP can be built from source or installed using pre-built packages for your OS or third-party tools (such as kerl, asdf or mise).

docker run -it erlang:26.2.5.13
Erlang/OTP 26.2.5.13
View on github.com
Patch Package OTP 26.2.5.13
Git Tag OTP-26.2.5.13
Date 2025-06-16
Issue Id
CVE-2025-4748
System OTP
Release 26
Application

asn1-5.2.2.1 #

The asn1-5.2.2.1 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19638
Application(s):
asn1
Related Id(s):
GH-9841 , PR-9846

The ASN.1 compiler could generate code that would cause Dialyzer with the unmatched_returns option to emit warnings.

Full runtime dependencies of asn1-5.2.2.1: erts-11.0, kernel-7.0, stdlib-3.13

kernel-9.2.4.9 #

The kernel-9.2.4.9 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19667
Application(s):
kernel, stdlib
Related Id(s):
PR-9912

A remote shell can now exit by closing the input stream, without terminating the remote node.

Full runtime dependencies of kernel-9.2.4.9: crypto-5.0, erts-14.0, sasl-3.0, stdlib-5.0

ssh-5.1.4.10 #

The ssh-5.1.4.10 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19634
Application(s):
ssh
Related Id(s):
GH-9102 , PR-9103

Various channel closing robustness improvements. Avoid crashes when channel handling process closes channel and immediately exits. Avoid breaking the protocol by sending duplicated channel-close messages. Cleanup channels which timeout during closing procedure.

OTP-19637
Application(s):
ssh
Related Id(s):
GH-6463 , PR-9838

Improved interoperability with clients acting as Paramiko.

Full runtime dependencies of ssh-5.1.4.10: crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-5.0

stdlib-5.2.3.4 #

The stdlib-5.2.3.4 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19649
Application(s):
stdlib
Related Id(s):
GH-9771 , PR-9898

It's now possible to write lists:map(fun is_atom/1, []) or lists:map(fun my_func/1, []), in the shell, instead of lists:map(fun erlang:is_atom/1, []) or lists:map(fun shell_default:my_func/1, []).

OTP-19653
Application(s):
stdlib
Related Id(s):
PR-9941 , CVE-2025-4748

Properly strip the leading / and drive letter from filepaths when zipping and unzipping archives.

Thanks to Wander Nauta for finding and responsibly disclosing this vulnerability to the Erlang/OTP project.

OTP-19667
Application(s):
kernel, stdlib
Related Id(s):
PR-9912

A remote shell can now exit by closing the input stream, without terminating the remote node.

Full runtime dependencies of stdlib-5.2.3.4: compiler-5.0, crypto-4.5, erts-13.1, kernel-9.0, sasl-3.0

Thanks To #

Yaroslav Maslennikov