HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-49759Published Modified CNA EEF

CVE-2026-49759: Stack buffer overflow in SCTP error cause parsing in inet_drv allows remote VM crash

Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk. The sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service. A crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited. This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2.

Metrics

CVSS v4.0
8.8
Severity
HIGH
Fixed in
*
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the SCTP error cause parsing code inside Erlang/OTP's inet_drv driver (erts). The vulnerability is reachable over the network by any unauthenticated attacker who can establish an SCTP association to a listening port, requiring no authentication and no victim interaction. Successful exploitation crashes the BEAM VM, causing a denial of service; a secondary side effect can leak small fragments of VM memory into the error packet visible to the receiving Erlang process. Patched-image rebuilds at the fix commits are available on HarborGuard for environments running an affected OTP version.

HarborGuard Coverage

Detection

Detection of CVE-2026-49759 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including internally built images that bundle Erlang/OTP, in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 HIGH and weighting that score against each environment's compliance policy to determine urgency; triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at the upstream fix commits (OTP 27.3.4.13, 28.5.0.2, or 29.0.2 and their corresponding erts versions) is available on HarborGuard for any image found to contain an affected OTP release. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target over the network and establish a valid SCTP association to a port where the Erlang application is listening.

  • AuthenticationNot required

    No credentials or session token are needed; the malicious SCTP ERROR chunk can be sent by any unauthenticated peer that completes the SCTP handshake.

  • Victim interactionNot required

    No user action is required; the overflow is triggered entirely by the attacker sending a crafted packet to the listening service.

  • Attack complexityDetail

    Exploitation is reliable and condition-free once an SCTP association exists; no race conditions, memory-layout dependencies, or special environmental factors are required.

Blast Radius

  • Crashes the BEAM VM process, taking down all Erlang application logic running on that node until it is restarted.
  • Leaks fragments of Erlang VM stack memory into the error cause data visible to the receiving Erlang process, exposing whatever happened to occupy adjacent stack space at the time of the overflow.
  • Because return-address control is not achievable (only 16-bit values interleaved with a fixed tag can be written), arbitrary code execution is not possible with this overflow; impact is limited to denial of service and the narrow memory disclosure described above.

How HarborGuard Handles This

Available on HarborGuard: any image whose Erlang/OTP erts version falls in the range 6.0 through the fix points (15.2.7.9, 16.4.0.2, or 17.0.2) is flagged automatically. A rebuilt image at a fixed OTP release is available for affected images. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs the configured regression suite, and opens a pull request against affected workloads; for high-severity issues like this one, median time from CVE publication to merged PR is around 90 minutes. Because SCTP listening ports are a relatively narrow attack surface, customers who cannot immediately apply the patch should consider using network policy to restrict which peers can establish SCTP associations to affected nodes, and should evaluate whether SCTP support can be disabled at the application layer until the fix is deployed. HarborGuard continues to re-check the advisory on each ingest cycle to confirm fix-version metadata remains current.

See how HarborGuard automates this

Fix available

*3983d495284331c121f600a80bac9fcf4e16381e
Patch commits
Affected packages
  • Erlang / OTP
    < * (from 6.0)
  • Erlang / OTP
    < * (from 17.0) · < 3983d495284331c121f600a80bac9fcf4e16381e (from 84adefa331c4159d432d22840663c38f155cd4c1)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
References