Platform
linux
Component
erlang
Fixed in
*
*
*
CVE-2026-28810 describes a Generation of Predictable Numbers or Identifiers vulnerability within the Erlang/OTP kernel's inetres and inetdb modules. This flaw enables DNS cache poisoning, potentially allowing attackers to intercept and manipulate DNS traffic. The vulnerability affects Erlang/OTP versions 3.0.0 and later running on Linux systems, and a fix is available.
The core of this vulnerability lies in the predictable nature of transaction IDs used by Erlang/OTP's built-in DNS resolver (inetres). These IDs are sequential and process-global, lacking source port randomization. Response validation heavily relies on this ID, making it possible for an attacker who can observe or predict these IDs to forge DNS responses. This allows for DNS cache poisoning, where an attacker can inject malicious DNS records into the resolver's cache, redirecting users to malicious websites or intercepting sensitive data. The trusted network environment assumption for inetres is violated, creating a significant risk where it is deployed.
This vulnerability was publicly disclosed on 2026-04-07. There is currently no indication of active exploitation campaigns. The vulnerability's reliance on predictable IDs aligns with known DNS cache poisoning techniques. It is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it is likely to be exploited if left unaddressed.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
While a patched version of Erlang/OTP is the definitive solution, immediate mitigation steps can reduce the risk. Restricting network access to the Erlang/OTP system, limiting its exposure to untrusted networks, is crucial. Implement strict firewall rules to control outbound DNS queries. Monitoring DNS traffic for anomalies, such as unexpected responses or unusual query patterns, can help detect ongoing attacks. Consider using a hardened DNS resolver outside of Erlang/OTP for critical applications. After upgrading to a patched version, verify DNS resolution functionality and monitor system logs for any unexpected behavior.
Update Erlang/OTP to version 28.4.3 or higher, or to the corresponding patched versions (10.6.3 for kernel 3.0, 10.2.7.4 for kernel 10.2, 9.2.4.11 for kernel 9.2). This update mitigates the DNS cache poisoning vulnerability by implementing a more secure transaction ID generation and source port randomization.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28810 is a vulnerability in Erlang/OTP (versions 3.0.0 and later) that allows attackers to poison the DNS cache due to predictable transaction IDs, potentially redirecting users to malicious sites.
If you are using Erlang/OTP versions 3.0.0 or later on a Linux system and rely on its built-in DNS resolver, you are potentially affected by this vulnerability.
Upgrade to a patched version of Erlang/OTP as soon as it becomes available. Until then, restrict network access and monitor DNS traffic.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited if left unaddressed.
Refer to the Erlang/OTP project's official website and security advisories for updates and information regarding CVE-2026-28810.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.