CVE-2026-48860: Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist
Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist. The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3. This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl. This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.
Metrics
- CVSS v4.0
- 7.5
- Severity
- HIGH
- Fixed in
- *
- Affected Products
- 2
HarborGuard Analysis
Synopsis
An authentication bypass vulnerability affects the inet_tls_dist module in Erlang/OTP, specifically the LAN allowlist enforcement used by Erlang's distribution-over-TLS mechanism. The bug stems from a sockname/peername confusion: check_ip/1 calls inet:sockname/1 (which returns the local socket address) instead of inet:peername/1 (the remote peer's address), so the subnet comparison always passes and any holder of a CA-signed TLS certificate can connect from outside the intended LAN segment without restriction. Successful exploitation grants full Erlang distribution access to the targeted node, enabling arbitrary remote code execution via rpc:call/4 and dynamic code loading via code:load_binary/3. A patched-image rebuild at the fixed commit (0209a6df65d605552b378273027b3968b35f26b4, corresponding to OTP 29.0.2, 28.5.0.2, and 27.3.4.13) is available on HarborGuard for environments running affected versions.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (EEF and NVD) within minutes of publication and matched against all customer images, including custom-built images that vendor or bundle Erlang/OTP. Any image carrying an affected ssl/inet_tls_dist version is flagged immediately in the customer's registry and CI/CD pipeline scans.
AvailableHarborGuard scores this CVE at CVSS 7.5 HIGH and weights it further against each environment's compliance policy to determine urgency and routing. Findings are assigned to the appropriate team inbox within each customer org based on the image ownership and policy configuration in place.
AvailableA patched-image rebuild against the fixed OTP versions (29.0.2, 28.5.0.2, and 27.3.4.13) is available on HarborGuard for any environment running an affected release. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityDetail
The attacker must be positioned on an adjacent network (LAN, VPN, or similar Layer-2 segment) to reach the Erlang distribution port; broad internet exposure is not required, but the bug defeats the allowlist meant to restrict exactly this perimeter.
- AuthenticationRequired
The attacker must present a certificate signed by a CA that the target node trusts; a low-privilege position in the PKI (possession of any such certificate) is sufficient to satisfy TLS handshake requirements and trigger the bypass.
- Victim interactionNot required
No action by a user or administrator on the target node is needed; the attacker initiates the connection directly.
- Attack complexityDetail
Exploitation requires a specific precondition: the attacker must hold a valid CA-signed TLS certificate for the affected cluster's PKI, and the node must have inet_tls_dist configured with an IP allowlist, making reliable exploitation contingent on those environmental factors.
Blast Radius
- Attacker gains full Erlang distribution node membership, allowing arbitrary Erlang function calls on the target node via rpc:call/4.
- Attacker can load arbitrary compiled Erlang modules into the running VM via code:load_binary/3, enabling persistent code execution under the OTP process.
- All data accessible to the Erlang node (in-memory state, ETS tables, Mnesia databases, secrets held in the process dictionary) is readable by the attacker.
- The attacker can crash or hang individual Erlang processes or the entire VM, causing a full service outage for any application running on that OTP node.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of ingestion for any image bundling an affected Erlang/OTP ssl version (11.0 through 11.7.1, 11.6.0.1, and 11.2.12.8 and earlier in their respective branches). Patched rebuilds targeting OTP 29.0.2, 28.5.0.2, and 27.3.4.13 are available for affected images. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a PR against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes. Where compliance policy does not permit auto-remediation, the finding appears in the triage queue with full CVSS context and fix-version guidance. While awaiting patching, compensating controls include restricting the Erlang distribution port (typically 4369 and the EPMD range) via network policy to only known-good source IPs at the infrastructure layer, adding mutual TLS certificate pinning where the CA scope can be narrowed, and disabling inet_tls_dist IP allowlist reliance entirely in favor of firewall-level controls until the fixed OTP version is deployed.
- Erlang / OTP< * (from 11.0)
- Erlang / OTP< * (from 26.0) · < 0209a6df65d605552b378273027b3968b35f26b4 (from 7a08c5507862a7011568506d0c17b1fdef30bee4)
CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N