Patch Package: OTP 27.3.4.14
Git Tag: OTP-27.3.4.14
Date: 2026-07-02
Trouble Report Id: OTP-20183, OTP-20185, OTP-20186, OTP-20190,
OTP-20191, OTP-20194, OTP-20197, OTP-20200,
OTP-20206, OTP-20207, OTP-20208, OTP-20211,
OTP-20215, OTP-20216, OTP-20217, OTP-20220,
OTP-20226, OTP-20230, OTP-20231, OTP-20232
Seq num: CVE-2026-53422, CVE-2026-54886,
CVE-2026-54887, CVE-2026-54891,
CVE-2026-55950, CVE-2026-55952, ERIERL-1333,
GH-SA-7wp4-pc27-2vj9, GH-SA-h9pw-h5w4-h976,
PR-11215, PR-11230, PR-11239, PR-11250,
PR-11259, PR-11268, PR-11269, PR-11270,
PR-11271, PR-11274, PR-11282, PR-11283,
PR-11294, PR-11295, PR-11299, PR-11302,
PR-11306, PR-11307, PR-11309, PR-11311
System: OTP
Release: 27
Application: common_test-1.27.7.1, crypto-5.5.3.3,
erts-15.2.7.10, public_key-1.17.1.4,
ssh-5.2.11.9, ssl-11.2.12.10
Predecessor: OTP 27.3.4.13
Check out the git tag OTP-27.3.4.14, and build a full OTP system including
documentation. Apply one or more applications from this build as patches to your
installation using the ‘otp_patch_apply’ tool. For information on install
requirements, see descriptions for each application version below.
common_test-1.27.7.1
The common_test-1.27.7.1 application can be applied independently of other
applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Fixed a crash in ct_netconfc that occurred when the remote server closed the
SSH connection during NETCONF subsystem negotiation.Own Id: OTP-20191
Related Id(s): ERIERL-1333, PR-11230
Full runtime dependencies of common_test-1.27.7.1
compiler-6.0, crypto-4.5, debugger-4.1, erts-7.0, ftp-1.0, inets-6.0,
kernel-8.4, observer-2.1, runtime_tools-1.8.16, sasl-2.5, snmp-5.1.2, ssh-4.0,
stdlib-4.0, syntax_tools-1.7, tools-3.2, xmerl-1.3.8
crypto-5.5.3.3
The crypto-5.5.3.3 application can be applied independently of other
applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
crypto:compute_key/4foreddhandcrypto:generate_key/2,3for
eddh/eddsanow raise anerror:{notsup, Info, Description}exception
instead of returning the atomnotsupwhen the underlying cryptolib lacks
support.Own Id: OTP-20215
Related Id(s): PR-11302
Full runtime dependencies of crypto-5.5.3.3
erts-9.0, kernel-5.3, stdlib-3.9
erts-15.2.7.10
The erts-15.2.7.10 application can be applied independently of other
applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Fixed an undefined behavior in the internal
erts_qsort()function, which
could have been the cause of a beam crash seen when updating large maps.Own Id: OTP-20185
Related Id(s): PR-11215 -
Calculating
bxorof the largest supported positive integer
(erlang:system_info(max_integer)) and-1would return[]instead of a
raising asystem_limitexception.Own Id: OTP-20208
Related Id(s): PR-11269 -
Fix possible race between
ets:delete/1and terminating process with a
fixation on the same table.Own Id: OTP-20217
Related Id(s): PR-11283 -
A few code generation issues for the JIT on AArch64 (ARM64) have been fixed.
For all platforms, the loader will reject some invalid BEAM files earlier.
Own Id: OTP-20226
Related Id(s): PR-11299
Improvements and New Features
-
Arithmetic operations on large integers will now increase the reduction count
for the process, causing context switches to occur more frequently when doing
arithmetic on large integers.Own Id: OTP-20211
Related Id(s): PR-11274
Full runtime dependencies of erts-15.2.7.10
kernel-9.0, sasl-3.3, stdlib-4.1
public_key-1.17.1.4
The public_key-1.17.1.4 application can be applied independently of other
applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Hardened OCSP response verification by using constant-time hash comparisons
and rejecting responses exceeding 100 KB before ASN.1 decoding.Own Id: OTP-20197
Related Id(s): PR-11239
Full runtime dependencies of public_key-1.17.1.4
asn1-5.0, crypto-5.0, erts-13.0, kernel-8.0, stdlib-4.0
ssh-5.2.11.9
The ssh-5.2.11.9 application can be applied independently of other applications
on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Fixed a path-existence oracle in the SFTP server where
SSH_FXP_REALPATH
requests with..components could bypass the configured root directory
isolation, allowing an authenticated client to determine whether arbitrary
paths exist on the host filesystem.Own Id: OTP-20183
Related Id(s): GH-SA-h9pw-h5w4-h976, PR-11294, CVE-2026-53422 -
Fixed an infinite loop in the SFTP server triggered when receiving
SSH_MSG_CHANNEL_EXTENDED_DATAon an SFTP channel, which caused the channel
process to spin indefinitely on CPU without consuming its message queue.Own Id: OTP-20186
Related Id(s): GH-SA-7wp4-pc27-2vj9, PR-11295, CVE-2026-54886 -
The SFTP server now caps the read length in
SSH_FXP_READrequests to 255 KiB
(matching OpenSSH’sSFTP_MAX_READ_LENGTH), preventing excessive memory
allocation when clients request large reads.Own Id: OTP-20200
Related Id(s): PR-11259 -
Removed a server-side workaround (OTP-14827, introduced in OTP 20) that
accepted SHA-1 user-auth signatures from clients identifying as OpenSSH 7.x
when rsa-sha2-* was negotiated. The workaround addressed a distro-specific
build issue in 2017 that no longer exists. Clients affected by this removal
(extremely unlikely — requires a 10-year-old unpatched OpenSSH build) will see
authentication failures and must upgrade.Own Id: OTP-20206
Related Id(s): PR-11268
Full runtime dependencies of ssh-5.2.11.9
crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1,
stdlib-5.0, stdlib-6.0
ssl-11.2.12.10
Note! The ssl-11.2.12.10 application cannot be applied independently of other
applications on an arbitrary OTP 27 installation.
On a full OTP 27 installation, also the following runtime
dependency has to be satisfied:
-- public_key-1.17.1.3 (first satisfied in OTP 27.3.4.12)
Fixed Bugs and Malfunctions
-
Correct small behavior bugs that occasionally could cause DTLS connection
errors, unwanted behavior for legacy DHE_DSS, hiding of a distribution config
error, and possible unorderly process tree shutdown.Own Id: OTP-20190
Related Id(s): PR-11250 -
Initialize DTLS cookie to random value to avoid DoS attack with forged cookie
during startup window.Own Id: OTP-20194
Related Id(s): PR-11271, CVE-2026-54887 -
Guard TLS client for MITM injection of application data during
“plain-text-window” during handshake.Own Id: OTP-20207
Related Id(s): PR-11270, CVE-2026-54891 -
Improve error handling of TLS PSK sending ILLIGAL_PARMETER alert if binders
and PSK-identities are not matched. Also mend recovery mechanism of ticket and
session stores to be as resilient as possible to intermediate bugs.Own Id: OTP-20216
Related Id(s): PR-11282, CVE-2026-55952 -
Fix race condition that could be used to DoS attack DTLS servers.
Own Id: OTP-20220
Related Id(s): PR-11306, CVE-2026-55950 -
A TLS-1.3 stateless session ticket with obfuscated_ticket_age set to zero was
incorrectly accepted without checking the server-side ticket lifetime or the
RFC 8446 Section 8.3 freshness window. The server now always validates ticket
age using its own timestamp regardless of the client-reported age value.Own Id: OTP-20230
Related Id(s): PR-11307 -
TLS-1.3 client rejects a second HelloRetryRequest as requiered in RFC 8446
Section 4.1.4Own Id: OTP-20231
Related Id(s): PR-11309 -
A busy client node could self-trigger a ticket store crash if unlucky with
scheduling if auto mode is used.Own Id: OTP-20232
Related Id(s): PR-11311
Full runtime dependencies of ssl-11.2.12.10
crypto-5.1, erts-15.0, inets-5.10.7, kernel-9.0, public_key-1.17.1.3,
runtime_tools-1.15.1, stdlib-6.0
Thanks to
Nick Krichevsky, zmstone