Erlang/OTP 26.2.5.21

This release of Erlang/OTP can be built from source or installed using pre-built packages for your OS or third-party tools (such as kerl, asdf or mise).

docker run -it erlang:26.2.5.21
Erlang/OTP 26.2.5.21
View on github.com
Patch Package OTP 26.2.5.21
Git Tag OTP-26.2.5.21
Date 2026-05-27
Issue Id
CVE-2026-42789
CVE-2026-42790
ERIERL-1314
System OTP
Release 26
Application
Potential Incompatibilities

Potential Incompatibilities #

OTP-20130
Application(s):
public_key, ssl
Related Id(s):
PR-11124 , CVE-2026-42790

'public_key', Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.

'ssl'. Error handling is slightly changed to better reflect public_key behaviour.

erts-14.2.5.15 #

The erts-14.2.5.15 application can be applied independently of other applications on a full OTP 26 installation.

OTP-20098
Application(s):
erts
Related Id(s):
PR-10976

Fixed bug in enif_make_map_from_arrays for arrays with at least 33 keys. If duplicate keys existed, instead of failing, it would skip the duplicates. If less than 33 unique keys existed, an internally inconsistent and broken map was returned.

Full runtime dependencies of erts-14.2.5.15: kernel-9.0, sasl-3.3, stdlib-4.1

inets-9.1.0.7 #

The inets-9.1.0.7 application can be applied independently of other applications on a full OTP 26 installation.

OTP-20128
Application(s):
inets
Related Id(s):
ERIERL-1314 , PR-11079

A call to httpd:reload_config/2 now validates the new configuration before removing the old one, leaving the server running in case of faulty config, instead of putting it in an unrecoverable state.

Full runtime dependencies of inets-9.1.0.7: erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-5.0

public_key-1.15.1.7 #

The public_key-1.15.1.7 application can be applied independently of other applications on a full OTP 26 installation.

OTP-20129
Application(s):
public_key
Related Id(s):
PR-11123 , CVE-2026-42789

Corrected basic constraint path validation check in accordance to RFC 5280.

OTP-20130
Application(s):
public_key, ssl
Related Id(s):
PR-11124 , CVE-2026-42790

*** POTENTIAL INCOMPATIBILITY ***

'public_key', Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.

'ssl'. Error handling is slightly changed to better reflect public_key behaviour.

Full runtime dependencies of public_key-1.15.1.7: asn1-3.0, crypto-4.6, erts-6.0, kernel-3.0, stdlib-3.5

ssl-11.1.4.13 #

Note! The ssl-11.1.4.13 application *cannot* be applied independently of other applications on an arbitrary OTP 26 installation. On a full OTP 26 installation, also the following runtime dependency has to be satisfied: -- public_key-1.15.1.7 (first satisfied in OTP 26.2.5.21)

OTP-20130
Application(s):
public_key, ssl
Related Id(s):
PR-11124 , CVE-2026-42790

*** POTENTIAL INCOMPATIBILITY ***

'public_key', Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.

'ssl'. Error handling is slightly changed to better reflect public_key behaviour.

Full runtime dependencies of ssl-11.1.4.13: crypto-5.0, erts-14.0, inets-5.10.7, kernel-9.0, public_key-1.15.1.7, runtime_tools-1.15.1, stdlib-4.1

Thanks To #

Nick Vatamaniuc