CVE-2026-28810: Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver

Published Apr 7, 2026
·
Updated

Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning. The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers. inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible. This vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11.

Affected Software

5 affected components
Erlang/OTP Erlang/OTP>=17.0<=28.4.2, >=17.0<=27.3.4.10, >=17.0<=26.2.5.19
Erlang/OTP OTP kernel>=3.0<=10.6.2, >=3.0<=10.2.7.4, >=3.0<=9.2.4.11
Erlang Erlang\/otp>=17.0<26.2.5.19
Erlang Erlang\/otp>=27.0<27.3.4.10
Erlang Erlang\/otp>=28.0<28.4.2

Remediation

Patch Available

https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839a5

Patch Available

https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8

Patch Available

https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad9fd

Event History

Apr 7, 2026
CVE Published
via MITRE·07:50 AM
Data Sourced
via MITRE·07:50 AM
DescriptionWeakness
Data Sourced
via NVD·09:16 AM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-28810?

CVE-2026-28810 has been classified as a medium severity vulnerability.

2

How do I fix CVE-2026-28810?

To fix CVE-2026-28810, you should upgrade your Erlang/OTP and OTP kernel versions to the latest patched releases.

3

Which versions are affected by CVE-2026-28810?

CVE-2026-28810 affects Erlang/OTP versions from 17.0 up to 28.4.2 and OTP kernel versions from 3.0 to 10.6.2.

4

What type of attack is possible with CVE-2026-28810?

CVE-2026-28810 allows attackers to perform DNS cache poisoning due to predictable DNS transaction IDs.

5

Who is affected by CVE-2026-28810?

Developers and organizations using vulnerable versions of Erlang/OTP and its kernel are at risk from CVE-2026-28810.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203