Erlang/OTP 26.2.5.11

This release of Erlang/OTP can be built from source or installed using pre-built packages for your OS or third-party tools (such as kerl, asdf or mise).

docker run -it erlang:26.2.5.11
Erlang/OTP 26.2.5.11
View on github.com
Patch Package OTP 26.2.5.11
Git Tag OTP-26.2.5.11
Date 2025-04-16
Issue Id
CVE-2025-32433
System OTP
Release 26
Application

ssh-5.1.4.8 #

The ssh-5.1.4.8 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19582
Application(s):
ssh
Related Id(s):
PR-9679

Reception of wrong Unicode does not cause unnecessary processing. US-ASCII fields are not decoded as Unicode.

OTP-19595
Application(s):
ssh
Related Id(s):
CVE-2025-32433

SSH daemon disconnects upon receiving connection protocol message for unauthenticated used.

Thanks to Fabian Bäumer, Marcel Maehren, Marcus Brinkmann, Nurullah Erinola, Jörg Schwenk (Ruhr University Bochum).

Full runtime dependencies of ssh-5.1.4.8: crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-5.0

xmerl-1.3.34.2 #

The xmerl-1.3.34.2 application can be applied independently of other applications on a full OTP 26 installation.

OTP-19496
Application(s):
xmerl
Related Id(s):
GH-9190 , PR-9463

Some old-style catch expressions in the xmerl_sax_parser when the continuation fun was called caused the stack to grow until all free memory was exhausted. These parts have been rewritten so that the parser now runs correctly without growing the stack. At the same time all old-style catch expressions in xmerl were replaced with try/catch.

Full runtime dependencies of xmerl-1.3.34.2: erts-6.0, kernel-8.4, stdlib-2.5