| Package | erlang |
|---|---|
| Version | 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u6 (stretch), 1:22.2.7+dfsg-1+deb10u5 (buster) |
| Related CVEs | CVE-2026-21620 CVE-2026-23941 CVE-2026-23942 CVE-2026-23943 |
Multiple vulnerabilities were discoverd in Erlang, a concurrent, real-time, distributed functional language.
CVE-2026-21620
Insufficient path sanitizing in tftp_file module.
CVE-2026-23941
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in Erlang OTP (inets httpd module) allows HTTP Request
Smuggling.
CVE-2026-23942
Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path
Traversal.
CVE-2026-23943
Improper Handling of Highly Compressed Data (Compression Bomb)
vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of
Service via Resource Depletion.
For Debian 10 buster, these problems have been fixed in version 1:22.2.7+dfsg-1+deb10u5.
For Debian 9 stretch, these problems have been fixed in version 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u6.
We recommend that you upgrade your erlang packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.