Erlang/OTP 26.2.5.20

This release of Erlang/OTP can be built from source or installed using pre-built packages for your OS or third-party tools (such as kerl, asdf or mise).

docker run -it erlang:26.2.5.20
Erlang/OTP 26.2.5.20
View on github.com
Patch Package OTP 26.2.5.20
Git Tag OTP-26.2.5.20
Date 2026-04-21
Issue Id
CVE-2026-32147
System OTP
Release 26
Application

erts-14.2.5.14 #

The erts-14.2.5.14 application can be applied independently of other applications on a full OTP 26 installation.

OTP-20101
Application(s):
erts
Related Id(s):
GH-10667

Fixed an issue when supplying the args_file option to erl.exe on windows that did not handle unicode characters correctly.

Full runtime dependencies of erts-14.2.5.14: kernel-9.0, sasl-3.3, stdlib-4.1

ssh-5.1.4.15 #

The ssh-5.1.4.15 application can be applied independently of other applications on a full OTP 26 installation.

OTP-20081
Application(s):
ssh
Related Id(s):
PR-11027 , CVE-2026-32147

Fixed a vulnerability in the SFTP server where file attributes could be modified outside the configured root directory. When using FSETSTAT on an open file handle, the operation used the path stored in the handle without verifying it was within the root directory, allowing attribute changes to files outside the chroot boundary.

Thanks to John Downey.

Full runtime dependencies of ssh-5.1.4.15: crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-5.0