Patch Package:           OTP 26.2.5.18
Git Tag:                 OTP-26.2.5.18
Date:                    2026-03-12
Trouble Report Id:       OTP-19795, OTP-20007, OTP-20009, OTP-20011,
                         OTP-20022
Se…

Erlang Forums is a community-driven platform for discussions related to the Erlang programming language, the Erlang virtual machine (BEAM), and related technologies such as OTP (Open Telecom Platform) and distributed systems. With dedicated forums covering topics like Erlang syntax, OTP frameworks, concurrency primitives, and fault-tolerant design patterns, Erlang Forums offers a resources for Erlang developers and enthusiasts to ask questions, share insights, and collaborate on Erlang-based projects. Whether you're a seasoned Erlang developer or a newcomer exploring functional programming, Erlang Forums provides a supportive community to help you learn and grow in your journey with Erlang.

Erlang Forums

Erlang/OTP 26.2.5.18 patch release fixes three CVEs and two other bugs across the inets, ssh, and ssl applications. The inets httpd server now rejects HTTP requests with multiple conflicting Content-Length headers to prevent request smuggling (CVE-2026-23941). The SSH SFTP server fixes a path traversal vulnerability where root option used string prefix matching instead of proper path component validation (CVE-2026-23942). SSH compression is also patched to prevent decompression bomb attacks that could expand 256 KB packets to 255 MB, with zlib removed from default compression algorithms (CVE-2026-23943). Additionally, TLS-1.3 alert handling and certificate request signature algorithm ordering are corrected in the ssl application.

Patch Package OTP 26.2.5.18 Released