Weakness Type (CWE)

CWE-121 — CWE-121 Stack-based Buffer Overflow

CAPEC

CVSS 4.0 Score

6.9

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability description

Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.

This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term.

The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service.

The companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug.

This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.

Affected

pkg:otp/erl_interface

Module Source File Routine
erl_interface src/misc/ei_printterm.c ei_s_print_term
Status Type Version Changes / Fixed in
affected otp 3.7.16
  • unaffected at 5.5.2.1
  • unaffected at 5.7.0.1
  • unaffected at 5.8.1

pkg:github/erlang/otp

Module Source File Routine
erl_interface lib/erl_interface/src/misc/ei_printterm.c ei_s_print_term
Status Type Version Changes / Fixed in
affected otp 17.0
affected git 84adefa331 < 0bef277b2d

Workarounds

Avoid calling ei_s_print_term with untrusted data whose encoded integer representation could exceed 2000 characters.

References

Credits

  • Finder: Jonatan Männchen / EEF
  • Remediation developer: Sverker Eriksson

CVE record as JSON:  GET /cves/CVE-2026-49760.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-49760.json