DNS Cache Poisoning Vulnerability in Erlang/OTP Kernel
CVE-2026-28810

6.3MEDIUM

Key Information:

Vendor: Erlang
Status: Otp
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-28810?

A vulnerability exists in the Erlang/OTP kernel's inet_res and inet_db modules, allowing for DNS cache poisoning attacks. The built-in DNS resolver uses a sequential 16-bit transaction ID for UDP queries, neglecting essential randomization of source ports. This weakness facilitates the practical exploitation of DNS cache poisoning, which occurs when an attacker can observe or predict transaction IDs, compromising the integrity of DNS responses. Furthermore, the original deployment documentation inadequately advised against using the inet_res resolver in untrusted environments, increasing the risk of exposure to malicious DNS spoofing.

Affected Version(s)

OTP 3.0

OTP 17.0

OTP 07b8f441ca711f9812fad9e9115bab3c3aa92f79

References

https://github.com/erlang/otp/security/advisories/GHSA-v8...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-28810.html

https://osv.dev/vulnerability/EEF-CVE-2026-28810

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Mar 3, 2026

Credit

Luigino Camastra / Aisle Research

Raimo Niskanen

CVE-2026-28810 Data

JSON