The vulnerability in Erlang OTP's ssh_sftpd module (CVE-2026-32147) is a path traversal issue (CWE-22) that allows an authenticated SFTP user to bypass chroot directory restrictions when modifying file attributes. The root cause is that the ssh_sftpd daemon stores the raw user-supplied path in file handles instead of the chroot-resolved path. When the SSH_FXP_FSETSTAT operation is performed on such a handle, file attributes like permissions, ownership, and timestamps can be altered on the actual filesystem path outside the chroot jail. This flaw affects OTP versions from 17.0 through 28.4.3 and corresponding ssh versions. The vulnerability can lead to privilege escalation if the SSH daemon runs with root privileges, enabling attackers to set the setuid bit or change ownership of critical files. The vulnerability is rated medium severity with a CVSS 4.0 score of 5.3. No patch or official remediation level is currently provided.

Authenticated SFTP users can modify file attributes outside the intended chroot directory, potentially altering permissions, ownership, and timestamps of arbitrary files on the filesystem. If the SSH daemon runs as root, this can lead to privilege escalation by enabling attackers to set the setuid bit on binaries or change ownership and permissions of sensitive system files. The vulnerability does not allow reading or modifying file contents, only file attribute changes. This can undermine system security and integrity by enabling unauthorized privilege escalation and system configuration changes.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider restricting SSH daemon privileges, avoiding running ssh_sftpd as root, or disabling SFTP services if feasible. Monitor vendor channels for updates and apply patches promptly once available.