Linux Distros Unpatched Vulnerability : CVE-2026-49759

🗓️ 11 Jun 2026 00:00:00Reported by TenableType
Linux and Unix hosts with vulnerable Erlang OTP erts can crash BEAM VM via crafted SCTP ERROR chunks; CVE-2026-49759.
Reporter	Title	Published	Views	Family All 11
CVE	CVE-2026-49759	10 Jun 202614:35	–	cve
Cvelist	CVE-2026-49759 Stack buffer overflow in SCTP error cause parsing in inet_drv allows remote VM crash	10 Jun 202614:35	–	cvelist
FreeBSD	Erlang/OTP -- buffer overflow parsing SCTP ERROR/ABORT chunks	10 Jun 202600:00	–	freebsd
Debian CVE	CVE-2026-49759	10 Jun 202614:35	–	debiancve
EUVD	EUVD-2026-36053	10 Jun 202614:35	–	euvd
NVD	CVE-2026-49759	10 Jun 202616:17	–	nvd
OSV	DEBIAN-CVE-2026-49759	10 Jun 202622:47	–	osv
OSV	EEF-CVE-2026-49759 Stack buffer overflow in SCTP error cause parsing in inet_drv allows remote VM crash	10 Jun 202614:35	–	osv
OSV	UBUNTU-CVE-2026-49759	11 Jun 202600:00	–	osv
Positive Technologies	PT-2026-48468	10 Jun 202600:00	–	ptsecurity
Source	Link
security-tracker	www.security-tracker.debian.org/tracker/CVE-2026-49759
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(320499);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/11");

  script_cve_id("CVE-2026-49759");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-49759");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote
    attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk. The sctp_parse_error_chunk function
    in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-
    size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has
    established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing
    enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit
    values interleaved with a fixed tag, so the overflow does not provide a controlled return address,
    limiting exploitation to Denial of Service. A crafted SCTP ERROR chunk may also leak bits and pieces of
    Erlang VM memory into the received error packet observed by the Erlang process. Such data is already
    readable by the user running the Erlang VM, so the disclosure scope is limited. This issue affects OTP
    from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9,
    16.4.0.2 and 17.0.2. (CVE-2026-49759)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-49759");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-49759");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:13.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:14.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:erlang");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Debian Linux-11", "Host/OS/Debian Linux-12", "Host/OS/Debian Linux-13", "Host/OS/Debian Linux-14");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-12": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "12",
        "pkgs": [
          {"reference": "erlang"},
          {"reference": "erlang-asn1"},
          {"reference": "erlang-base"},
          {"reference": "erlang-common-test"},
          {"reference": "erlang-crypto"},
          {"reference": "erlang-debugger"},
          {"reference": "erlang-dev"},
          {"reference": "erlang-dialyzer"},
          {"reference": "erlang-diameter"},
          {"reference": "erlang-doc"},
          {"reference": "erlang-edoc"},
          {"reference": "erlang-eldap"},
          {"reference": "erlang-erl-docgen"},
          {"reference": "erlang-et"},
          {"reference": "erlang-eunit"},
          {"reference": "erlang-examples"},
          {"reference": "erlang-ftp"},
          {"reference": "erlang-inets"},
          {"reference": "erlang-jinterface"},
          {"reference": "erlang-manpages"},
          {"reference": "erlang-megaco"},
          {"reference": "erlang-mnesia"},
          {"reference": "erlang-mode"},
          {"reference": "erlang-nox"},
          {"reference": "erlang-observer"},
          {"reference": "erlang-odbc"},
          {"reference": "erlang-os-mon"},
          {"reference": "erlang-parsetools"},
          {"reference": "erlang-public-key"},
          {"reference": "erlang-reltool"},
          {"reference": "erlang-runtime-tools"},
          {"reference": "erlang-snmp"},
          {"reference": "erlang-src"},
          {"reference": "erlang-ssh"},
          {"reference": "erlang-ssl"},
          {"reference": "erlang-syntax-tools"},
          {"reference": "erlang-tftp"},
          {"reference": "erlang-tools"},
          {"reference": "erlang-wx"},
          {"reference": "erlang-x11"},
          {"reference": "erlang-xmerl"}
        ]
      }
    ]
  },
  "Debian Linux-11": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "11",
        "pkgs": [
          {"reference": "erlang"},
          {"reference": "erlang-asn1"},
          {"reference": "erlang-base"},
          {"reference": "erlang-base-hipe"},
          {"reference": "erlang-common-test"},
          {"reference": "erlang-crypto"},
          {"reference": "erlang-debugger"},
          {"reference": "erlang-dev"},
          {"reference": "erlang-dialyzer"},
          {"reference": "erlang-diameter"},
          {"reference": "erlang-doc"},
          {"reference": "erlang-edoc"},
          {"reference": "erlang-eldap"},
          {"reference": "erlang-erl-docgen"},
          {"reference": "erlang-et"},
          {"reference": "erlang-eunit"},
          {"reference": "erlang-examples"},
          {"reference": "erlang-ftp"},
          {"reference": "erlang-inets"},
          {"reference": "erlang-jinterface"},
          {"reference": "erlang-manpages"},
          {"reference": "erlang-megaco"},
          {"reference": "erlang-mnesia"},
          {"reference": "erlang-mode"},
          {"reference": "erlang-nox"},
          {"reference": "erlang-observer"},
          {"reference": "erlang-odbc"},
          {"reference": "erlang-os-mon"},
          {"reference": "erlang-parsetools"},
          {"reference": "erlang-public-key"},
          {"reference": "erlang-reltool"},
          {"reference": "erlang-runtime-tools"},
          {"reference": "erlang-snmp"},
          {"reference": "erlang-src"},
          {"reference": "erlang-ssh"},
          {"reference": "erlang-ssl"},
          {"reference": "erlang-syntax-tools"},
          {"reference": "erlang-tftp"},
          {"reference": "erlang-tools"},
          {"reference": "erlang-wx"},
          {"reference": "erlang-x11"},
          {"reference": "erlang-xmerl"}
        ]
      }
    ]
  },
  "Debian Linux-13": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "13",
        "pkgs": [
          {"reference": "erlang"},
          {"reference": "erlang-asn1"},
          {"reference": "erlang-base"},
          {"reference": "erlang-common-test"},
          {"reference": "erlang-crypto"},
          {"reference": "erlang-debugger"},
          {"reference": "erlang-dev"},
          {"reference": "erlang-dialyzer"},
          {"reference": "erlang-diameter"},
          {"reference": "erlang-doc"},
          {"reference": "erlang-edoc"},
          {"reference": "erlang-eldap"},
          {"reference": "erlang-et"},
          {"reference": "erlang-eunit"},
          {"reference": "erlang-examples"},
          {"reference": "erlang-ftp"},
          {"reference": "erlang-inets"},
          {"reference": "erlang-jinterface"},
          {"reference": "erlang-megaco"},
          {"reference": "erlang-mnesia"},
          {"reference": "erlang-mode"},
          {"reference": "erlang-nox"},
          {"reference": "erlang-observer"},
          {"reference": "erlang-odbc"},
          {"reference": "erlang-os-mon"},
          {"reference": "erlang-parsetools"},
          {"reference": "erlang-public-key"},
          {"reference": "erlang-reltool"},
          {"reference": "erlang-runtime-tools"},
          {"reference": "erlang-snmp"},
          {"reference": "erlang-src"},
          {"reference": "erlang-ssh"},
          {"reference": "erlang-ssl"},
          {"reference": "erlang-syntax-tools"},
          {"reference": "erlang-tftp"},
          {"reference": "erlang-tools"},
          {"reference": "erlang-wx"},
          {"reference": "erlang-x11"},
          {"reference": "erlang-xmerl"}
        ]
      }
    ]
  },
  "Debian Linux-14": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "14",
        "pkgs": [
          {"reference": "erlang"},
          {"reference": "erlang-asn1"},
          {"reference": "erlang-base"},
          {"reference": "erlang-common-test"},
          {"reference": "erlang-crypto"},
          {"reference": "erlang-debugger"},
          {"reference": "erlang-dev"},
          {"reference": "erlang-dialyzer"},
          {"reference": "erlang-diameter"},
          {"reference": "erlang-doc"},
          {"reference": "erlang-edoc"},
          {"reference": "erlang-eldap"},
          {"reference": "erlang-et"},
          {"reference": "erlang-eunit"},
          {"reference": "erlang-examples"},
          {"reference": "erlang-ftp"},
          {"reference": "erlang-inets"},
          {"reference": "erlang-jinterface"},
          {"reference": "erlang-megaco"},
          {"reference": "erlang-mnesia"},
          {"reference": "erlang-mode"},
          {"reference": "erlang-nox"},
          {"reference": "erlang-observer"},
          {"reference": "erlang-odbc"},
          {"reference": "erlang-os-mon"},
          {"reference": "erlang-parsetools"},
          {"reference": "erlang-public-key"},
          {"reference": "erlang-reltool"},
          {"reference": "erlang-runtime-tools"},
          {"reference": "erlang-snmp"},
          {"reference": "erlang-src"},
          {"reference": "erlang-ssh"},
          {"reference": "erlang-ssl"},
          {"reference": "erlang-syntax-tools"},
          {"reference": "erlang-tftp"},
          {"reference": "erlang-tools"},
          {"reference": "erlang-wx"},
          {"reference": "erlang-x11"},
          {"reference": "erlang-xmerl"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}
11 Jun 2026 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 48.8
EPSS0.00096
SSVC