CVE-2026-28810: CWE-340 Generation of Predictable Numbers or Identifiers in Erlang OTP
Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning. The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers. inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible. This vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11.
AI Analysis
Technical Summary
The vulnerability CVE-2026-28810 in Erlang/OTP kernel modules inet_res and inet_db arises from the generation of predictable 16-bit transaction IDs used in DNS UDP queries without source port randomization. This design flaw allows an attacker who can observe or predict transaction IDs to perform DNS cache poisoning attacks by forging DNS responses that pass validation checks. The affected OTP versions range from 17.0 through 28.4.2 and corresponding kernel versions. The resolver was designed for trusted network environments, but insufficient documentation may have led to its use in untrusted contexts. The CVSS 4.0 score is 6.3, indicating medium severity. No vendor advisory or patch information is currently available, and the vulnerability remains unmitigated officially.
Potential Impact
An attacker capable of observing DNS queries or predicting transaction IDs can exploit this vulnerability to perform DNS cache poisoning, potentially redirecting DNS queries to malicious IP addresses. This undermines DNS integrity and can facilitate further attacks such as phishing or man-in-the-middle. The impact is limited by the requirement that the attacker can predict or observe the transaction ID and that the resolver is used in an environment where spoofed DNS responses are possible. The vulnerability affects multiple OTP versions and kernel releases.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should avoid deploying the inet_res DNS resolver in untrusted network environments where spoofed DNS responses are possible. Consider using alternative DNS resolvers that implement source port randomization and stronger transaction ID generation. Monitor vendor channels for updates or patches addressing this issue.
CVE-2026-28810: CWE-340 Generation of Predictable Numbers or Identifiers in Erlang OTP
Description
Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning. The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers. inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible. This vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-28810 in Erlang/OTP kernel modules inet_res and inet_db arises from the generation of predictable 16-bit transaction IDs used in DNS UDP queries without source port randomization. This design flaw allows an attacker who can observe or predict transaction IDs to perform DNS cache poisoning attacks by forging DNS responses that pass validation checks. The affected OTP versions range from 17.0 through 28.4.2 and corresponding kernel versions. The resolver was designed for trusted network environments, but insufficient documentation may have led to its use in untrusted contexts. The CVSS 4.0 score is 6.3, indicating medium severity. No vendor advisory or patch information is currently available, and the vulnerability remains unmitigated officially.
Potential Impact
An attacker capable of observing DNS queries or predicting transaction IDs can exploit this vulnerability to perform DNS cache poisoning, potentially redirecting DNS queries to malicious IP addresses. This undermines DNS integrity and can facilitate further attacks such as phishing or man-in-the-middle. The impact is limited by the requirement that the attacker can predict or observe the transaction ID and that the resolver is used in an environment where spoofed DNS responses are possible. The vulnerability affects multiple OTP versions and kernel releases.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should avoid deploying the inet_res DNS resolver in untrusted network environments where spoofed DNS responses are possible. Consider using alternative DNS resolvers that implement source port randomization and stronger transaction ID generation. Monitor vendor channels for updates or patches addressing this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-03-03T14:40:00.590Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d4bd49aaed68159afc7f61
Added to database: 4/7/2026, 8:16:09 AM
Last enriched: 4/7/2026, 8:31:23 AM
Last updated: 4/9/2026, 6:24:14 AM
Views: 23
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.