Main Vulnerability Database Vulnerabilities #VU125776

#VU125776 Generation of Predictable Numbers or Identifiers in otp - CVE-2026-28810

Published: April 10, 2026

Vulnerability identifier: #VU125776

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-28810

CWE-ID: CWE-340

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
otp

Software vendor:
erlang

Description

The vulnerability allows a remote attacker to poison the DNS cache.

The vulnerability exists due to generation of predictable numbers or identifiers in the inet_res built-in DNS resolver when processing UDP DNS queries. A remote attacker can forge a DNS response with a predicted transaction ID to poison the DNS cache.

Exploitation is practical for an attacker who can observe one query or predict the next transaction ID.

Remediation

Install security update from vendor's website.

External links

https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8

#VU125776 Generation of Predictable Numbers or Identifiers in otp - CVE-2026-28810

Description

Remediation

External links

Please verify you're human