The vulnerability in Erlang OTP's ssh_sftpd module (CVE-2026-32147) arises from improper limitation of pathname to a restricted directory (CWE-22). The SFTP daemon stores raw user-supplied paths in file handles instead of paths resolved within the chroot jail. When an SSH_FXP_FSETSTAT request is made on such a handle, file attributes on the actual filesystem path outside the chroot can be modified. This allows authenticated SFTP users to bypass directory restrictions and alter file attributes like permissions and ownership on files outside the chroot boundary. The vulnerability affects OTP versions 17.0 through 28.4.3 and corresponding ssh versions. Exploitation requires authentication and the existence of files at matching relative paths outside the chroot. The issue can lead to privilege escalation if the SSH daemon runs with root privileges.

Authenticated SFTP users on affected Erlang OTP servers configured with the root option can modify file attributes outside the chroot directory, potentially changing permissions, ownership, and timestamps of arbitrary files. This does not allow reading or modifying file contents. If the SSH daemon runs as root, attackers can escalate privileges by setting setuid bits on binaries or altering ownership of sensitive files, potentially compromising system security. The CVSS 4.0 score is 5.3 (medium severity), reflecting the need for authentication and limited scope to attribute modification.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider restricting SSH daemon privileges, avoid running ssh_sftpd as root, and carefully configure chroot environments to minimize risk. Monitoring for unusual attribute changes on critical files may help detect exploitation attempts.