Patch Package: OTP 26.2.5.20
Git Tag: OTP-26.2.5.20
Date: 2026-04-21
Trouble Report Id: OTP-20081, OTP-20101
Seq num: CVE-2026-32147, GH-10667, PR-11027
System: OTP
Release: 26
Application: erts-14.2.5.14, ssh-5.1.4.15
Predecessor: OTP 26.2.5.19
Check out the git tag OTP-26.2.5.20, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the ‘otp_patch_apply’
tool. For information on install requirements, see descriptions for
each application version below.
— erts-14.2.5.14 --------------------------------------------------
The erts-14.2.5.14 application can be applied independently of other
applications on a full OTP 26 installation.
— Fixed Bugs and Malfunctions —
OTP-20101 Application(s): erts
Related Id(s): GH-10667
Fixed an issue when supplying the args_file option to
erl.exe on windows that did not handle unicode
characters correctly.
Full runtime dependencies of erts-14.2.5.14: kernel-9.0, sasl-3.3,
stdlib-4.1
— ssh-5.1.4.15 ----------------------------------------------------
The ssh-5.1.4.15 application can be applied independently of other
applications on a full OTP 26 installation.
— Fixed Bugs and Malfunctions —
OTP-20081 Application(s): ssh
Related Id(s): PR-11027, CVE-2026-32147
Fixed a vulnerability in the SFTP server where file
attributes could be modified outside the configured
root directory. When using FSETSTAT on an open file
handle, the operation used the path stored in the
handle without verifying it was within the root
directory, allowing attribute changes to files outside
the chroot boundary.
Thanks to John Downey.
Full runtime dependencies of ssh-5.1.4.15: crypto-5.0, erts-14.0,
kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0,
stdlib-5.0