1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
|
Patch Package: OTP 26.2.5.17
Git Tag: OTP-26.2.5.17
Date: 2026-02-20
Trouble Report Id: OTP-19830, OTP-19843, OTP-19845, OTP-19896,
OTP-19926, OTP-19962, OTP-19978, OTP-19981,
OTP-19988, OTP-19993
Seq num: CVE-2026-21620, GH-10354, GH-10705, PR-10339,
PR-10353, PR-10358, PR-10547, PR-10616,
PR-10664, PR-10706, PR-10708, PR-10732
System: OTP
Release: 26
Application: compiler-8.4.3.4, crypto-5.4.2.4,
erts-14.2.5.13, megaco-4.5.0.1,
ssl-11.1.4.11, stdlib-5.2.3.6, tftp-1.1.1.1,
wx-2.4.1.1
Predecessor: OTP 26.2.5.16
Check out the git tag OTP-26.2.5.17, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- compiler-8.4.3.4 ------------------------------------------------
---------------------------------------------------------------------
The compiler-8.4.3.4 application can be applied independently of
other applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19845 Application(s): compiler
Related Id(s): GH-10354, PR-10358
Fixed broken type inference for lists:mapfoldl/r.
Full runtime dependencies of compiler-8.4.3.4: crypto-5.1, erts-13.0,
kernel-8.4, stdlib-5.0
---------------------------------------------------------------------
--- crypto-5.4.2.4 --------------------------------------------------
---------------------------------------------------------------------
The crypto-5.4.2.4 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19993 Application(s): crypto
Related Id(s): PR-10732
Fixed static linking of OpenSSL 3.5+ on Windows.
Full runtime dependencies of crypto-5.4.2.4: erts-9.0, kernel-5.3,
stdlib-3.9
---------------------------------------------------------------------
--- erts-14.2.5.13 --------------------------------------------------
---------------------------------------------------------------------
The erts-14.2.5.13 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19926 Application(s): erts
Related Id(s): PR-10547
Fail the windows build properly when nsis is not
recognised.
OTP-19962 Application(s): erts, stdlib
Related Id(s): PR-10616
Fixed bug in ets:update_counter/4 and
ets:update_element/4 accepting and inserting a default
tuple smaller than the keypos of the table. Such a
tuple without a key element would make the table
internally inconsistent and might lead to bad behavior
at table access, like ERTS runtime crash.
Now a call to ets:update_counter/4 or
ets:update_element/4 will fail with badarg if the key
does not exist in the table and the default tuple is
too small.
OTP-19978 Application(s): erts
Related Id(s): PR-10664
A missing memory barrier when unlocking process locks
could cause unexpected behavior on architectures with
weak memory ordering such as for example ARM.
Full runtime dependencies of erts-14.2.5.13: kernel-9.0, sasl-3.3,
stdlib-4.1
---------------------------------------------------------------------
--- megaco-4.5.0.1 --------------------------------------------------
---------------------------------------------------------------------
The megaco-4.5.0.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19896 Application(s): megaco
The megaco_tcp module had debug unintentionally
enabled.
Full runtime dependencies of megaco-4.5.0.1: asn1-3.0, debugger-4.0,
erts-12.0, et-1.5, kernel-8.0, runtime_tools-1.8.14, stdlib-2.5
---------------------------------------------------------------------
--- ssl-11.1.4.11 ---------------------------------------------------
---------------------------------------------------------------------
The ssl-11.1.4.11 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19830 Application(s): ssl
Related Id(s): PR-10339
If two certificate massages are sent to the server
generate an unexpected message alert for the second
one.
Full runtime dependencies of ssl-11.1.4.11: crypto-5.0, erts-14.0,
inets-5.10.7, kernel-9.0, public_key-1.11.3, runtime_tools-1.15.1,
stdlib-4.1
---------------------------------------------------------------------
--- stdlib-5.2.3.6 --------------------------------------------------
---------------------------------------------------------------------
The stdlib-5.2.3.6 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19962 Application(s): erts, stdlib
Related Id(s): PR-10616
Fixed bug in ets:update_counter/4 and
ets:update_element/4 accepting and inserting a default
tuple smaller than the keypos of the table. Such a
tuple without a key element would make the table
internally inconsistent and might lead to bad behavior
at table access, like ERTS runtime crash.
Now a call to ets:update_counter/4 or
ets:update_element/4 will fail with badarg if the key
does not exist in the table and the default tuple is
too small.
OTP-19988 Application(s): stdlib
Related Id(s): GH-10705, PR-10708
For a function that started with a bracket-only pattern
(such as []), the ?FUNCTION_ARITY macro would evaluate
to one less than the actual arity.
Full runtime dependencies of stdlib-5.2.3.6: compiler-5.0,
crypto-4.5, erts-13.1, kernel-9.0, sasl-3.0
---------------------------------------------------------------------
--- tftp-1.1.1.1 ----------------------------------------------------
---------------------------------------------------------------------
The tftp-1.1.1.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19981 Application(s): tftp
Related Id(s): PR-10706, CVE-2026-21620
An issue in the undocumented initial state option
[{root_dir,Dir}] to the tftp_file module has been
fixed. The request file name was just concatenated to
Dir so it was possible to traverse above Dir by using
"../" file path components. Now the option actually
restricts local file operations to the Dir directory
and subdirectories.
The initial state option and how to use it was
previously undocumented, so it is unlikely that anyone
would have used it without understanding its
peculiarities.
The documentation of the TFTP application has also been
clarified to make it obvious that the default server
configuration allows read and write access to all files
that are readable or writable by the user running the
Erlang VM, and that the default configuration therefore
should be avoided.
Thanks to Luigino Camastra at Aisle Research, for
finding and reporting this issue.
Full runtime dependencies of tftp-1.1.1.1: erts-6.0, kernel-6.0,
stdlib-5.0
---------------------------------------------------------------------
--- wx-2.4.1.1 ------------------------------------------------------
---------------------------------------------------------------------
The wx-2.4.1.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19843 Application(s): wx
Related Id(s): PR-10353
Fixed reading out of array bounds and potential memory
leaks.
Full runtime dependencies of wx-2.4.1.1: erts-12.0, kernel-8.0,
stdlib-5.0
---------------------------------------------------------------------
--- Thanks to -------------------------------------------------------
---------------------------------------------------------------------
Daniel Hryzbil, Jan Uhlig
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
|
