CVE Tools
Sign in

CVE-2026-49759

Stack buffer overflow in SCTP error cause parsing in inet_drv allows remote VM crash

Published: Jun 10, 2026Updated: Jun 15, 2026 Sources: CVE List NVDCWE-121
NVD MITRE
8.2CVSSHIGH
EPSS Score
0.5%
Top 63.3%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk. The sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service. A crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited. This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:LI:NA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:NIntegrity
None
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-121

Affected Products

OTPErlang
LibraryLibrary
OSS Libraries / generic-library
erlang\/otperlang
Library
OSS Libraries / generic-library
ertserlang
Library
OSS Libraries / generic-library
erlangoss-projectOSS Librariesaka erlang/otp, otp, erlang/ssh

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

1 technique
Privilege Escalation
View detailed technique mapping

References

https://github.com/erlang/otp/security/advisories/GHSA-6f4f-chj5-5g97
github.com
https://cna.erlef.org/cves/CVE-2026-49759.html
cna.erlef.org
https://osv.dev/vulnerability/EEF-CVE-2026-49759
osv.dev
and 2 more references View all →

Timeline

Published
Jun 10, 2026
Last Updated
Jun 15, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-49759 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows