CVE-2026-21620
Publication date 23 February 2026
Last updated 23 February 2026
Ubuntu priority
Description
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl. This issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0.
Read the notes from the security team
Why is this CVE low priority?
This requires an application that misuses the tftp API
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| erlang | 25.10 questing |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Notes
mdeslaur
Per upstream: "For a system to be vulnerable, the system designer must have used the undescribed {root_dir,RootDir} state as an option under incorrect assumptions. The state value/type is present in the documentation, in a function signature specification, but it is never described. It is only the option's name that may suggest that it could protect against relative path traversal."