Erlang/OTP 27.3.4.14

This release of Erlang/OTP can be built from source or installed using pre-built packages for your OS or third-party tools (such as kerl, asdf or mise).

docker run -it erlang:27.3.4.14
Patch Package OTP 27.3.4.14
Git Tag OTP-27.3.4.14
Date 2026-07-02
Issue Id
CVE-2026-53422
CVE-2026-54886
CVE-2026-54887
CVE-2026-54891
CVE-2026-55950
CVE-2026-55952
ERIERL-1333
GH-SA-7wp4-pc27-2vj9
GH-SA-h9pw-h5w4-h976
System OTP
Release 27
Application

common_test-1.27.7.1 #

The common_test-1.27.7.1 application can be applied independently of other applications on a full OTP 27 installation.

OTP-20191
Related Id(s):

ERIERL-1333, PR-11230

Fixed a crash in ct_netconfc that occurred when the remote server closed the SSH connection during NETCONF subsystem negotiation.

Full runtime dependencies of common_test-1.27.7.1

compiler-6.0, crypto-4.5, debugger-4.1, erts-7.0, ftp-1.0, inets-6.0, kernel-8.4, observer-2.1, runtime_tools-1.8.16, sasl-2.5, snmp-5.1.2, ssh-4.0, stdlib-4.0, syntax_tools-1.7, tools-3.2, xmerl-1.3.8

crypto-5.5.3.3 #

The crypto-5.5.3.3 application can be applied independently of other applications on a full OTP 27 installation.

OTP-20215
Related Id(s):

PR-11302

crypto:compute_key/4 for eddh and crypto:generate_key/2,3 for eddh/eddsa now raise an error:{notsup, Info, Description} exception instead of returning the atom notsup when the underlying cryptolib lacks support.

Full runtime dependencies of crypto-5.5.3.3

erts-9.0, kernel-5.3, stdlib-3.9

erts-15.2.7.10 #

The erts-15.2.7.10 application can be applied independently of other applications on a full OTP 27 installation.

OTP-20185
Related Id(s):

PR-11215

Fixed an undefined behavior in the internal erts_qsort() function, which could have been the cause of a beam crash seen when updating large maps.

OTP-20208
Related Id(s):

PR-11269

Calculating bxor of the largest supported positive integer (erlang:system_info(max_integer)) and -1 would return [] instead of a raising a system_limit exception.

OTP-20217
Related Id(s):

PR-11283

Fix possible race between ets:delete/1 and terminating process with a fixation on the same table.

OTP-20226
Related Id(s):

PR-11299

A few code generation issues for the JIT on AArch64 (ARM64) have been fixed.

For all platforms, the loader will reject some invalid BEAM files earlier.

OTP-20211
Related Id(s):

PR-11274

Arithmetic operations on large integers will now increase the reduction count for the process, causing context switches to occur more frequently when doing arithmetic on large integers.

Full runtime dependencies of erts-15.2.7.10

kernel-9.0, sasl-3.3, stdlib-4.1

public_key-1.17.1.4 #

The public_key-1.17.1.4 application can be applied independently of other applications on a full OTP 27 installation.

OTP-20197
Related Id(s):

PR-11239

Hardened OCSP response verification by using constant-time hash comparisons and rejecting responses exceeding 100 KB before ASN.1 decoding.

Full runtime dependencies of public_key-1.17.1.4

asn1-5.0, crypto-5.0, erts-13.0, kernel-8.0, stdlib-4.0

ssh-5.2.11.9 #

The ssh-5.2.11.9 application can be applied independently of other applications on a full OTP 27 installation.

OTP-20183
Related Id(s):

GH-SA-h9pw-h5w4-h976, PR-11294, CVE-2026-53422

Fixed a path-existence oracle in the SFTP server where SSH_FXP_REALPATH requests with .. components could bypass the configured root directory isolation, allowing an authenticated client to determine whether arbitrary paths exist on the host filesystem.

OTP-20186
Related Id(s):

GH-SA-7wp4-pc27-2vj9, PR-11295, CVE-2026-54886

Fixed an infinite loop in the SFTP server triggered when receiving SSH_MSG_CHANNEL_EXTENDED_DATA on an SFTP channel, which caused the channel process to spin indefinitely on CPU without consuming its message queue.

OTP-20200
Related Id(s):

PR-11259

The SFTP server now caps the read length in SSH_FXP_READ requests to 255 KiB (matching OpenSSH’s SFTP_MAX_READ_LENGTH), preventing excessive memory allocation when clients request large reads.

OTP-20206
Related Id(s):

PR-11268

Removed a server-side workaround (OTP-14827, introduced in OTP 20) that accepted SHA-1 user-auth signatures from clients identifying as OpenSSH 7.x when rsa-sha2-* was negotiated. The workaround addressed a distro-specific build issue in 2017 that no longer exists. Clients affected by this removal (extremely unlikely — requires a 10-year-old unpatched OpenSSH build) will see authentication failures and must upgrade.

Full runtime dependencies of ssh-5.2.11.9

crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

ssl-11.2.12.10 #

Note! The ssl-11.2.12.10 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.

   On a full OTP 27 installation, also the following runtime
   dependency has to be satisfied:
   -- public_key-1.17.1.3 (first satisfied in OTP 27.3.4.12)
OTP-20190
Related Id(s):

PR-11250

Correct small behavior bugs that occasionally could cause DTLS connection errors, unwanted behavior for legacy DHE_DSS, hiding of a distribution config error, and possible unorderly process tree shutdown.

OTP-20194
Related Id(s):

PR-11271, CVE-2026-54887

Initialize DTLS cookie to random value to avoid DoS attack with forged cookie during startup window.

OTP-20207
Related Id(s):

PR-11270, CVE-2026-54891

Guard TLS client for MITM injection of application data during “plain-text-window” during handshake.

OTP-20216
Related Id(s):

PR-11282, CVE-2026-55952

Improve error handling of TLS PSK sending ILLIGAL_PARMETER alert if binders and PSK-identities are not matched. Also mend recovery mechanism of ticket and session stores to be as resilient as possible to intermediate bugs.

OTP-20220
Related Id(s):

PR-11306, CVE-2026-55950

Fix race condition that could be used to DoS attack DTLS servers.

OTP-20230
Related Id(s):

PR-11307

A TLS-1.3 stateless session ticket with obfuscated_ticket_age set to zero was incorrectly accepted without checking the server-side ticket lifetime or the RFC 8446 Section 8.3 freshness window. The server now always validates ticket age using its own timestamp regardless of the client-reported age value.

OTP-20231
Related Id(s):

PR-11309

TLS-1.3 client rejects a second HelloRetryRequest as requiered in RFC 8446 Section 4.1.4

OTP-20232
Related Id(s):

PR-11311

A busy client node could self-trigger a ticket store crash if unlucky with scheduling if auto mode is used.

Full runtime dependencies of ssl-11.2.12.10

crypto-5.1, erts-15.0, inets-5.10.7, kernel-9.0, public_key-1.17.1.3, runtime_tools-1.15.1, stdlib-6.0

Thanks To #

Nick Krichevsky, zmstone