{"schema_version":"1.7.2","id":"OESA-2026-1027","modified":"2026-01-09T14:06:12Z","published":"2026-01-09T14:06:12Z","upstream":["CVE-2025-48039","CVE-2025-48040"],"summary":"erlang security update","details":"Erlang is a general-purpose programming language and runtime environment. Erlang has built-in support for concurrency, distribution and fault tolerance. Erlang is used in several large telecommunication systems from Ericsson.\r\n\r\nSecurity Fix(es):\n\nAllocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.(CVE-2025-48039)\n\nUncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.(CVE-2025-48040)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"erlang","purl":"pkg:rpm/openEuler/erlang&distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"25.3.2.6-11.oe2403sp1"}]}],"ecosystem_specific":{"aarch64":["erlang-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-asn1-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-common_test-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-compiler-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-crypto-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-debugger-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-debuginfo-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-debugsource-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-dialyzer-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-diameter-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-edoc-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-eldap-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-erl_docgen-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-erl_interface-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-erts-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-et-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-eunit-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-examples-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-ftp-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-inets-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-jinterface-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-kernel-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-megaco-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-mnesia-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-observer-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-odbc-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-os_mon-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-parsetools-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-public_key-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-reltool-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-runtime_tools-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-sasl-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-snmp-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-src-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-ssh-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-ssl-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-stdlib-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-syntax_tools-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-tftp-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-tools-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-wx-25.3.2.6-11.oe2403sp1.aarch64.rpm","erlang-xmerl-25.3.2.6-11.oe2403sp1.aarch64.rpm"],"src":["erlang-25.3.2.6-11.oe2403sp1.src.rpm"],"x86_64":["erlang-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-asn1-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-common_test-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-compiler-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-crypto-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-debugger-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-debuginfo-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-debugsource-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-dialyzer-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-diameter-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-edoc-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-eldap-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-erl_docgen-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-erl_interface-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-erts-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-et-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-eunit-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-examples-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-ftp-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-inets-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-jinterface-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-kernel-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-megaco-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-mnesia-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-observer-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-odbc-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-os_mon-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-parsetools-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-public_key-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-reltool-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-runtime_tools-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-sasl-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-snmp-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-src-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-ssh-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-ssl-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-stdlib-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-syntax_tools-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-tftp-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-tools-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-wx-25.3.2.6-11.oe2403sp1.x86_64.rpm","erlang-xmerl-25.3.2.6-11.oe2403sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1027"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48039"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48040"}],"database_specific":{"severity":"Medium"}}