Nixpkgs security tracker

Untriaged

Permalink CVE-2026-49760

6.9 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 2 weeks ago Activity log

Created suggestion 2 weeks ago

Stack Buffer Overflow in ei_s_print_term at Very Large Integer

Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow. This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term. The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service. The companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug. This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.

References

https://github.com/erlang/otp/security/advisories/GHSA-xcxj-5pg2-v72j relatedvendor-advisory
https://cna.erlef.org/cves/CVE-2026-49760.html related
https://osv.dev/vulnerability/EEF-CVE-2026-49760 related
https://www.erlang.org/doc/system/versions.html#order-of-versions x_version-scheme
https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111 patch

Affected products

erlang/otp

<0bef277b2d39dc8babb9ceb4f5d0a456f3007111
*

erl_interface

Matching in nixpkgs

pkgs.cotp

Trustworthy, encrypted, command-line TOTP/HOTP authenticator app with import functionality

nixos-unstable 1.9.10
- nixpkgs-unstable 1.9.10
- nixos-unstable-small 1.9.10
nixos-26.05 1.9.10
- nixos-26.05-small 1.9.10
- nixpkgs-26.05-darwin 1.9.10

pkgs.otpw

One-time password login package

nixos-unstable 1.5
- nixpkgs-unstable 1.5
- nixos-unstable-small 1.5
nixos-26.05 1.5
- nixos-26.05-small 1.5
- nixpkgs-26.05-darwin 1.5

pkgs.libcotp

C library that generates TOTP and HOTP

nixos-unstable 3.1.1
- nixpkgs-unstable 3.1.1
- nixos-unstable-small 3.1.1
nixos-26.05 3.1.1
- nixos-26.05-small 3.1.1
- nixpkgs-26.05-darwin 3.1.1

pkgs.mintotp

Minimal TOTP generator

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0
nixos-26.05 0.3.0
- nixos-26.05-small 0.3.0
- nixpkgs-26.05-darwin 0.3.0

pkgs.otpauth

Google Authenticator migration decoder

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0
nixos-26.05 0.6.0
- nixos-26.05-small 0.6.0
- nixpkgs-26.05-darwin 0.6.0

pkgs.hotpatch

Hot patching executables on Linux using .so file injection

nixos-unstable 0.2
- nixpkgs-unstable 0.2
- nixos-unstable-small 0.2
nixos-26.05 0.2
- nixos-26.05-small 0.2
- nixpkgs-26.05-darwin 0.2

pkgs.totp-cli

Authy/Google Authenticator like TOTP CLI tool written in Go

nixos-unstable 1.9.2
- nixpkgs-unstable 1.9.2
- nixos-unstable-small 1.9.2
nixos-26.05 1.9.2
- nixos-26.05-small 1.9.2
- nixpkgs-26.05-darwin 1.9.2

pkgs.otpclient

Highly secure and easy to use OTP client written in C/GTK that supports both TOTP and HOTP

nixos-unstable 4.2.0
- nixpkgs-unstable 4.2.0
- nixos-unstable-small 4.2.0
nixos-26.05 4.2.0
- nixos-26.05-small 4.2.0
- nixpkgs-26.05-darwin 4.2.0

pkgs.tpm2-totp

Attest the trustworthiness of a device against a human using time-based one-time passwords

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0
nixos-26.05 0.3.0
- nixos-26.05-small 0.3.0
- nixpkgs-26.05-darwin 0.3.0

pkgs.godotpcktool

Standalone tool for extracting and creating Godot .pck files

nixos-unstable 2.2
- nixpkgs-unstable 2.2
- nixos-unstable-small 2.2
nixos-26.05 2.2
- nixos-26.05-small 2.2
- nixpkgs-26.05-darwin 2.2

pkgs.nitrotpm-tools

Collection of utilities for working with NitroTPM attestation

nixos-unstable 1.1.1
- nixpkgs-unstable 1.1.1
- nixos-unstable-small 1.1.2
nixos-26.05 1.1.1
- nixos-26.05-small 1.1.1
- nixpkgs-26.05-darwin 1.1.1

pkgs.keepass-otpkeyprov

None

nixos-unstable 2.6
- nixpkgs-unstable 2.6
- nixos-unstable-small 2.6
nixos-26.05 2.6
- nixos-26.05-small 2.6
- nixpkgs-26.05-darwin 2.6

pkgs.keepass-keetraytotp

None

nixos-unstable 0.108.0
- nixpkgs-unstable 0.108.0
- nixos-unstable-small 0.108.0
nixos-26.05 0.108.0
- nixos-26.05-small 0.108.0
- nixpkgs-26.05-darwin 0.108.0

pkgs.gnomeExtensions.totp

Generate One-Time Passwords (aka OTP, both TOTP and HOTP) for websites that use Two-Factor Authentication (2FA) like Google, Facebook, Discord, Amazon, Steam, etc.

nixos-unstable 54
- nixpkgs-unstable 54
- nixos-unstable-small 54
nixos-26.05 54
- nixos-26.05-small 54
- nixpkgs-26.05-darwin 54

pkgs.arubaotp-seed-extractor

Extract TOTP seed instead of using ArubaOTP app

nixos-unstable 0-unstable-2022-12-22
- nixpkgs-unstable 0-unstable-2022-12-22
- nixos-unstable-small 0-unstable-2022-12-22
nixos-26.05 0-unstable-2022-12-22
- nixos-26.05-small 0-unstable-2022-12-22
- nixpkgs-26.05-darwin 0-unstable-2022-12-22

pkgs.passExtensions.pass-otp

Pass extension for managing one-time-password (OTP) tokens

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0
nixos-26.05 1.2.0
- nixos-26.05-small 1.2.0
- nixpkgs-26.05-darwin 1.2.0

pkgs.python313Packages.pyotp

Python One Time Password Library

nixos-unstable 2.9.0
- nixpkgs-unstable 2.9.0
- nixos-unstable-small 2.9.0
nixos-26.05 2.9.0
- nixos-26.05-small 2.9.0
- nixpkgs-26.05-darwin 2.9.0

pkgs.python314Packages.pyotp

Python One Time Password Library

nixos-unstable 2.9.0
- nixpkgs-unstable 2.9.0
- nixos-unstable-small 2.9.0
nixos-26.05 2.9.0
- nixos-26.05-small 2.9.0
- nixpkgs-26.05-darwin 2.9.0

pkgs.tpm2-totp-with-plymouth

Attest the trustworthiness of a device against a human using time-based one-time passwords

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0
nixos-26.05 0.3.0
- nixos-26.05-small 0.3.0
- nixpkgs-26.05-darwin 0.3.0

pkgs.gnomeExtensions.otp-keys

Show and copy otp keys

nixos-unstable 33
- nixpkgs-unstable 33
- nixos-unstable-small 33
nixos-26.05 33
- nixos-26.05-small 33
- nixpkgs-26.05-darwin 33

pkgs.haskellPackages.dotparse

dot language parsing and printing

nixos-unstable 0.1.4.0
- nixpkgs-unstable 0.1.4.0
- nixos-unstable-small 0.1.4.0
nixos-26.05 0.1.4.0
- nixos-26.05-small 0.1.4.0
- nixpkgs-26.05-darwin 0.1.4.0

pkgs.python313Packages.plotpy

Curve and image plotting tools for Python/Qt applications

nixos-unstable 2.9.0
- nixpkgs-unstable 2.9.0
- nixos-unstable-small 2.9.0
nixos-26.05 2.9.0
- nixos-26.05-small 2.9.0
- nixpkgs-26.05-darwin 2.9.0

pkgs.gnomeExtensions.bootpaper

Randomly selects a new wallpaper on startup from local folder

nixos-unstable 6
- nixpkgs-unstable 6
- nixos-unstable-small 6
nixos-26.05 6
- nixos-26.05-small 6
- nixpkgs-26.05-darwin 6

pkgs.python313Packages.otpauth

Implements one time password of HOTP/TOTP

nixos-unstable 2.2.1
- nixpkgs-unstable 2.2.1
- nixos-unstable-small 2.2.1
nixos-26.05 2.2.1
- nixos-26.05-small 2.2.1
- nixpkgs-26.05-darwin 2.2.1

pkgs.python314Packages.otpauth

Implements one time password of HOTP/TOTP

nixos-unstable 2.2.1
- nixpkgs-unstable 2.2.1
- nixos-unstable-small 2.2.1
nixos-26.05 2.2.1
- nixos-26.05-small 2.2.1
- nixpkgs-26.05-darwin 2.2.1

pkgs.haskellPackages.crypto-totp

Provides generation and verification services for time-based one-time keys

nixos-unstable 0.1.0.1
- nixpkgs-unstable 0.1.0.1
- nixos-unstable-small 0.1.0.1
nixos-26.05 0.1.0.1
- nixos-26.05-small 0.1.0.1
- nixpkgs-26.05-darwin 0.1.0.1

pkgs.python313Packages.can-isotp

Python package that provides support for ISO-TP (ISO-15765) protocol

nixos-unstable 2.0.7
- nixpkgs-unstable 2.0.7
- nixos-unstable-small 2.0.7
nixos-26.05 2.0.7
- nixos-26.05-small 2.0.7
- nixpkgs-26.05-darwin 2.0.7

pkgs.python314Packages.can-isotp