Otp 29.0.2 - Erlang/OTP

Erlang/OTP 29.0.2

Patch Package	OTP 29.0.2
Git Tag	OTP-29.0.2
Date	2026-06-10
Issue Id	CVE-2026-48855 CVE-2026-48856 CVE-2026-48858 CVE-2026-48859 CVE-2026-48860 CVE-2026-49759 CVE-2026-49760 GH-11104 GH-11105 GH-11152 GH-SA-24cv-hwgr-37fq GH-SA-3w6p-vwhf-wvp4 GH-SA-6f4f-chj5-5g97 GH-SA-gp7x-mfv6-52cv GH-SA-m75x-4vwg-ggjh GH-SA-pv7g-pjrq-x2fh GH-SA-xcxj-5pg2-v72j PR-11141 PR-11145 PR-11146 PR-11148 PR-11154 PR-11157 PR-11168 PR-11181 PR-11186 PR-11192 PR-11193 PR-11195 PR-11199 PR-11205 PR-11212 PR-1234 PR-27384
System	OTP
Release	29
Application	dialyzer-6.0.1 diameter-2.7.1 erl_interface-5.8.1 erts-17.0.2 ftp-1.2.6 inets-9.7.1 kernel-11.0.2 mnesia-4.26.1 public_key-1.21.2 ssh-6.0.1 ssl-11.7.2 stdlib-8.0.1 tools-4.2.1

dialyzer-6.0.1 #

The dialyzer-6.0.1 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20178

Related Id(s):: PR-11199

Fix native record bugs in Dialyzer

Full runtime dependencies of dialyzer-6.0.1

compiler-10.0, erts-12.0, kernel-8.0, stdlib-5.0, syntax_tools-2.0

diameter-2.7.1 #

The diameter-2.7.1 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20150

Related Id(s):: GH-11105, PR-11146

Fixed return value documentation of diameter:service_info(SvcName, statistics)

Full runtime dependencies of diameter-2.7.1

erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0

erl_interface-5.8.1 #

The erl_interface-5.8.1 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20160

Related Id(s):: GH-SA-xcxj-5pg2-v72j, PR-11193, CVE-2026-49760

Fixed stack overflow in ei_s_print_term for very big integer terms (> 2000 hexadecimal digits long).

erts-17.0.2 #

The erts-17.0.2 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20165

Related Id(s):: GH-SA-6f4f-chj5-5g97, PR-1234, CVE-2026-49759

A buffer overflow error when parsing SCTP ERROR or ABORT chunks has been fixed.

This could lead to stack corruption and VM crash, but ultimately with hard work by an attacker be refined into maybe even remote code execution.

Full runtime dependencies of erts-17.0.2

kernel-9.0, sasl-3.3, stdlib-4.1

ftp-1.2.6 #

The ftp-1.2.6 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20166

Related Id(s):: GH-SA-24cv-hwgr-37fq, PR-11186, CVE-2026-48858

FTP client default connections that use the so called passive mode of FTP fails to properly validating the response IP of the server, hence a malicious or compromised FTP server could redirect the data connection to an arbitrary host, enabling s server-side request forgery (SSRF) and FTP bounce attacks.

Full runtime dependencies of ftp-1.2.6

erts-7.0, kernel-6.0, runtime_tools-1.15.1, ssl-10.2, stdlib-3.5

inets-9.7.1 #

The inets-9.7.1 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20155

Related Id(s):: GH-SA-m75x-4vwg-ggjh, PR-11212, CVE-2026-48856

The HTTP client (httpc) now removes Authorization, Proxy-Authorization, Cookie, Referer, and Origin headers when following a redirect to a different host or port. Previously these headers were forwarded verbatim, potentially leaking credentials to unintended targets.

This follows the requirements of RFC 9110 §15.4.

Full runtime dependencies of inets-9.7.1

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

kernel-11.0.2 #

The kernel-11.0.2 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20057: gen_tcp_socket accept should explicitly inherit the same options as plain gen_tcp.

Full runtime dependencies of kernel-11.0.2

crypto-5.8, erts-17.0, sasl-3.0, stdlib-8.0

mnesia-4.26.1 #

The mnesia-4.26.1 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20149

Related Id(s):: GH-11104, PR-11145

Fixed docs of mnesia:write/3 to clarify when a transaction can terminate.

Full runtime dependencies of mnesia-4.26.1

erts-9.0, kernel-5.3, stdlib-5.0

public_key-1.21.2 #

The public_key-1.21.2 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20172

Related Id(s):: PR-11195

Add missing macro reference for legacy algorithms md5 and sha224. This mainly improves error handling.

Full runtime dependencies of public_key-1.21.2

asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0

ssh-6.0.1 #

The ssh-6.0.1 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20153

Related Id(s):: GH-SA-3w6p-vwhf-wvp4, PR-11157, CVE-2026-48859

Fixed a timing-based username enumeration vulnerability during password authentication with the user_passwords option. A dummy PBKDF2 computation is now performed for invalid usernames to match the response time of valid ones.

OTP-20162

Related Id(s):: GH-SA-pv7g-pjrq-x2fh, PR-11192, CVE-2026-48855

Fixed SSH_FXP_READLINK handler in ssh_sftpd to strip the backend root prefix from symlink targets before returning them to the client, preventing disclosure of the server’s absolute filesystem path when the root option is configured.

OTP-20181

Related Id(s):: PR-11205

Fixed a race condition where SSH keep-alive responses could consume pending channel open requests, causing channel setup to fail silently.

Full runtime dependencies of ssh-6.0.1

crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-8.0

ssl-11.7.2 #

Note! The ssl-11.7.2 application cannot be applied independently of other applications on an arbitrary OTP 29 installation.

   On a full OTP 29 installation, also the following runtime
   dependency has to be satisfied:
   -- public_key-1.21.1 (first satisfied in OTP 29.0.1)

OTP-20154

Related Id(s):: PR-11148

Fix miscellanies issues that could cause unnecessary memory consumption and in some less common scenarios or configurations cause connection failures.

OTP-20156

Related Id(s):: GH-SA-gp7x-mfv6-52cv, PR-11181, CVE-2026-48860

Erlang distribution over TLS run with the kernel ‘check_ip’ flag now properly enforce connecting nodes to be on the same LAN.

OTP-20161

Related Id(s):: PR-11148

Enhance error message, by fixing typo of atom in new error message related to `public_key` CVE-2026-42790 solution.

OTP-20174

Related Id(s):: PR-27384

Corrected SNI handling for TLS-1.3 only server, could cause connection failures if supported signature algorithms where changed by SNI option update.

Full runtime dependencies of ssl-11.7.2

crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.21.1, runtime_tools-1.15.1, stdlib-7.0

stdlib-8.0.1 #

The stdlib-8.0.1 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20151

Related Id(s):: PR-11141

Fix a bug where a tuple record operation within a native record anonymous update can crash.

OTP-20170

Related Id(s):: PR-11154

Fixed some bugs in io_lib:bformat/2 and native record printing.

Full runtime dependencies of stdlib-8.0.1

compiler-5.0, crypto-4.5, erts-16.0.3, kernel-11.0, sasl-3.0, syntax_tools-3.2.1

tools-4.2.1 #

The tools-4.2.1 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20163

Related Id(s):: GH-11152, PR-11168

Xref could crash instead of returning an appropriate error tuple when asked to open a BEAM file without debug information but with a moduledoc(false) attribute.

Full runtime dependencies of tools-4.2.1

compiler-8.5, crypto-5.9, erts-15.0, kernel-10.0, public_key-1.21, runtime_tools-2.1, stdlib-6.0

Thanks To #

John Downey, Jonatan Männchen