CVE-2026-49760 is a stack-based buffer overflow in the Erlang OTP erl_interface library's ei_s_print_term function. The function uses a fixed-size 2000-character stack buffer to format Erlang terms. When processing an encoded term with a very large integer whose encoded representation exceeds 2000 characters, the buffer overflows. The overflow bytes are limited to ASCII digits and uppercase hexadecimal letters, which restricts exploitation to denial of service rather than arbitrary code execution. The companion function ei_print_term, which outputs directly to a FILE, is not vulnerable. Affected versions include OTP 17.0 up to but not including 27.3.4.13, 28.5.0.2, and 29.0.2, and erl_interface versions 3.7.16 and later up to but not including 5.5.2.1, 5.7.0.1, and 5.8.1.

The vulnerability allows an attacker to cause a denial of service by triggering a stack-based buffer overflow in the ei_s_print_term function when processing specially crafted large integer terms. The overflow is limited to certain ASCII characters, preventing code execution or other more severe impacts. There are no known exploits in the wild. The vulnerability requires local access (AV:L) and low complexity to exploit, with no privileges or user interaction needed.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided in the available data. Users should avoid processing untrusted large integer terms with the vulnerable ei_s_print_term function or use the non-vulnerable ei_print_term function where possible. Monitor Erlang OTP vendor advisories for updates and patches addressing this issue.