The vulnerability in Erlang OTP's public_key (pubkey_cert module) arises from improper following of a certificate's chain of trust. Specifically, the function pubkey_cert:validate_extensions/7 fails to reject certificates with basicConstraints cA:false used as intermediate issuers if they lack a keyUsage extension. This allows an attacker with an end-entity certificate (cA:false, no keyUsage) issued by a trusted CA to sign forged leaf certificates accepted by public_key:pkix_path_validation/3. Consequently, TLS and mTLS endpoints relying on OTP's ssl application default verifier are affected, impacting server and client certificate verification. Affected OTP versions include 17.0 up to but not including 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1, corresponding to public_key versions prior to 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1. The vulnerability has a CVSS 4.0 score of 7.0 (high severity).

An attacker possessing an end-entity certificate with basicConstraints cA:false and no keyUsage extension, issued by any trusted CA, can exploit this vulnerability to forge certificate chains. This allows the creation of fraudulent leaf certificates for arbitrary identities that are accepted by OTP's public_key validation logic. As a result, TLS and mTLS endpoints using the default verifier in the OTP ssl application may trust malicious certificates, undermining server identity verification on clients and client certificate verification on servers. This compromises the integrity of secure communications relying on these certificates.

The vendor manages remediation for this cloud-hosted service and has released patches in OTP versions 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1, and corresponding public_key module versions 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1. Users should upgrade to these patched versions to address the vulnerability. Patch status is confirmed as available. Check the vendor advisory for the latest remediation guidance and ensure OTP and public_key modules are updated accordingly.