Erlang/OTP 26.2.5.18 patch release fixes three CVEs and two other bugs across the inets, ssh, and ssl applications. The inets httpd server now rejects HTTP requests with multiple conflicting Content-Length headers to prevent request smuggling (CVE-2026-23941). The SSH SFTP server fixes a path traversal vulnerability where root option used string prefix matching instead of proper path component validation (CVE-2026-23942). SSH compression is also patched to prevent decompression bomb attacks that could expand 256 KB packets to 255 MB, with zlib removed from default compression algorithms (CVE-2026-23943). Additionally, TLS-1.3 alert handling and certificate request signature algorithm ordering are corrected in the ssl application.
Sort: