{"id":"USN-7656-1","summary":"erlang vulnerabilities","details":"It was discovered that Erlang OTP’s SSH module incorrectly enforced strict\nKEX handshake hardening measures. A remote attacker able to intercept\ncommunications could possibly use this issue to insert optional messages\ninto connections during the handshake. (CVE-2025-46712)\n\nIt was discovered that Erlang OTP incorrectly handled ZIP archives. If a\nuser or automated system were tricked into opening a specially crafted ZIP\narchive, a remote attacker could possibly use this issue to overwrite\narbitrary files outside of the intended directory. (CVE-2025-4748)","modified":"2026-02-10T04:49:41Z","published":"2025-07-21T11:51:07Z","related":["UBUNTU-CVE-2025-46712","UBUNTU-CVE-2025-4748"],"upstream":["CVE-2025-46712","CVE-2025-4748","UBUNTU-CVE-2025-46712","UBUNTU-CVE-2025-4748"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7656-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-4748"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-46712"}],"affected":[{"package":{"name":"erlang","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/erlang@1:24.2.1+dfsg-1ubuntu0.5?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:24.2.1+dfsg-1ubuntu0.5"}]}],"versions":["1:23.2.6+dfsg-1build1","1:24.1.1+dfsg-1","1:24.1.4+dfsg-1","1:24.1.5+dfsg-1","1:24.1.5+dfsg-1ubuntu1","1:24.2+dfsg-1","1:24.2.1+dfsg-1","1:24.2.1+dfsg-1ubuntu0.1","1:24.2.1+dfsg-1ubuntu0.2","1:24.2.1+dfsg-1ubuntu0.3","1:24.2.1+dfsg-1ubuntu0.4"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-asn1"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-base"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-common-test"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-crypto"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-debugger"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-dev"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-dialyzer"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-diameter"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-edoc"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-eldap"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-erl-docgen"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-et"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-eunit"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-examples"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-ftp"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-inets"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-jinterface"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-manpages"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-megaco"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-mnesia"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-mode"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-nox"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-observer"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-odbc"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-os-mon"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-parsetools"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-public-key"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-reltool"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-runtime-tools"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-snmp"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-src"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-ssh"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-ssl"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-syntax-tools"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-tftp"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-tools"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-wx"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-x11"},{"binary_version":"1:24.2.1+dfsg-1ubuntu0.5","binary_name":"erlang-xmerl"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2025-4748","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2025-46712","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"type":"Ubuntu","score":"low"}]}],"ecosystem":"Ubuntu:22.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7656-1.json"}},{"package":{"name":"erlang","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/erlang@1:25.3.2.8+dfsg-1ubuntu4.4?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:25.3.2.8+dfsg-1ubuntu4.4"}]}],"versions":["1:25.2.3+dfsg-1","1:25.3.2.8+dfsg-1","1:25.3.2.8+dfsg-1ubuntu1","1:25.3.2.8+dfsg-1ubuntu3","1:25.3.2.8+dfsg-1ubuntu4","1:25.3.2.8+dfsg-1ubuntu4.1","1:25.3.2.8+dfsg-1ubuntu4.2","1:25.3.2.8+dfsg-1ubuntu4.3"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-asn1"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-base"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-common-test"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-crypto"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-debugger"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-dev"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-dialyzer"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-diameter"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-edoc"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-eldap"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-erl-docgen"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-et"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-eunit"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-examples"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-ftp"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-inets"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-jinterface"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-manpages"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-megaco"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-mnesia"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-mode"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-nox"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-observer"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-odbc"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-os-mon"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-parsetools"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-public-key"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-reltool"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-runtime-tools"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-snmp"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-src"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-ssh"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-ssl"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-syntax-tools"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-tftp"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-tools"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-wx"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-x11"},{"binary_version":"1:25.3.2.8+dfsg-1ubuntu4.4","binary_name":"erlang-xmerl"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2025-4748","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2025-46712","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"type":"Ubuntu","score":"low"}]}],"ecosystem":"Ubuntu:24.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7656-1.json"}}],"schema_version":"1.7.3"}