Releases: erlang/otp
OTP 29.0-rc2
OTP 29.0-rc2
Erlang/OTP 29.0-rc2 is the second release candidate of three before the OTP 29.0 release.
The intention with this release is to get feedback from our users. All feedback is welcome, even if it is only to say that it works for you. We encourage users to try it out and give us feedback either by creating an issue at https://github.com/erlang/otp/issues or by posting to Erlang Forums.
All artifacts for the release can be downloaded from the Erlang/OTP Github release and you can view the new documentation at https://erlang.org/documentation/doc-17.0-rc2/doc. You can also install the latest release using kerl like this:
kerl build 29.0-rc2 29.0-rc2.
Erlang/OTP 29 is a new major release with new features, improvements as well as a few incompatibilities. Some of the new features are highlighted below.
Many thanks to all contributors!
Highlights for RC2
-
The module
io_ansiallows the user to emit Virtual Terminal Sequences (also known as ANSI sequences) to the terminal in order to add colors/styling to text or to create fully fledged terminal applications. -
The new
ct_doctestmodule allows the user to test documentation examples in Erlang module docs and documentation files. -
The
ignore_xrefattribute has been handled as a post-analysis filter by build tools such as Rebar3. In this release, [xref] itself does the filtering, ensuring that all tooling that callsxreffor any purpose can rely on these declarations to just work.
Highlights for RC1
General
-
In the default code path for the Erlang system, the current working directory (
.) is now in the last position instead of the first. -
There is no longer a 32-bit Erlang/OTP build for Windows.
New language features
-
Native records as described in EEP-79 has been implemented. A native record is a data structure similar to the traditional tuple-based records, except that is a true data type. Native records are considered experimental in Erlang/OTP 29 and possibly also in Erlang/OTP 30.
-
The new
is_integer/3guard BIF makes it possible to easily verify that a value is both an integer and within a certain range. For example:is_integer(I, 0, 100) -
Multi-valued comprehensions according to EEP 78 are now supported. For example,
[-I, I || I <- [1, 2, 3]]will produce[-1,1,-2,2,-3,3]. -
By enabling the
compr_assignfeature, it is now possible to bind variables in a comprehensions. For example:[H || E <- List, H = erlang:phash2(E), H rem 10 =:= 0]
Compiler and JIT improvements
-
In the documentation for the [
compile] module, there is now a section with recommendations for implementors of languages running on the BEAM. -
The JIT now generates better code for matching or creating binaries with multiple little-endian segments.
-
The compiler will generate more efficient code for map comprehensions with constant values that don't depend on the generator. Example:
#{K => 42 || K <- List}
Compiler warnings
There are several new compiler warnings enabled by default. For each such warning, there is an option to disable it.
-
There will now be a warning when using the
catchoperator, which has been deprecated for a long time. It is recommended to instead usetry...catchbut is also possible to disable the warning by using thenowarn_deprecated_catchoption. -
There will now be a warning when exporting variables out of a subexpression. For example:
file:open(File, AllOpts = [write, {encoding,utf8}]). This warning can be disabled using thenowarn_export_var_subexprcompiler option. -
The compiler will now warn for uses of the
andandoroperators. This warning can be disabled using thenowarn_obsolete_bool_opcompiler option. -
The compiler will now warn for matches such as
{a,B} = {X,Y}, which is better written as{a=X,B=Y}. This warning can be disabled using thenowarn_match_alias_patsoption.
For a long time, there has been a warning for using the obsolete guard tests (such as list(L) instead of is_list(L). In Erlang/OTP 30, the old guards will be removed from the language.
STDLIB
- There are new functions for randomly permutating a list:
rand:shuffle/1andrand:shuffle_s/2.
SSH
- The default key exchange algorithm is now mlkem768x25519-sha256, a hybrid quantum-resistant algorithm combining ML-KEM-768 with X25519. This provides protection against both classical and quantum computer attacks while maintaining backward compatibility through automatic fallback to other algorithms when peers don't support it.
OTP 28.4.1
Patch Package: OTP 28.4.1
Git Tag: OTP-28.4.1
Date: 2026-03-12
Trouble Report Id: OTP-20007, OTP-20009, OTP-20011, OTP-20012,
OTP-20014, OTP-20018, OTP-20022
Seq num: CVE-2026-23941, CVE-2026-23942,
CVE-2026-23943, ERIERL-1303, ERIERL-1305,
GH-10694, PR-10707, PR-10798, PR-10809,
PR-10811, PR-10813, PR-10825, PR-10833
System: OTP
Release: 28
Application: crypto-5.8.3, inets-9.6.1, kernel-10.6.1,
ssh-5.5.1, ssl-11.5.3
Predecessor: OTP 28.4
Check out the git tag OTP-28.4.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
crypto-5.8.3
The crypto-5.8.3 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fix memory leak in
crypo:engine_loadif called with incorrect commands.Own Id: OTP-20014
Related Id(s): PR-10798
Full runtime dependencies of crypto-5.8.3
erts-9.0, kernel-6.0, stdlib-3.9
inets-9.6.1
The inets-9.6.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
The httpd server now rejects HTTP requests containing multiple Content-Length headers with different values, returning a 400 Bad Request response. This prevents potential HTTP request smuggling attacks. Thanks Luigino Camastra at Aisle Research for responsibly disclosing this vulnerability
Own Id: OTP-20007
Related Id(s): PR-10833, CVE-2026-23941
Full runtime dependencies of inets-9.6.1
erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0
kernel-10.6.1
The kernel-10.6.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
A vulnerability has been resolved in the (undocumented, unsupported and unused in OTP) inet_dns_tsig module that leads to a validation bypass.
If a request contained an error code (forbidden by spec), it was treated as a response and skipped the verification of the MAC. The user of the module would then receive an "all ok" response, depending on the use case, this could lead to such things as AXFR or UPDATE being allowed.
The code has also been tightening up of the client side to make sure too large (bad) MAC sizes cannot be selected and the limit is the output size of the algorithm chosen.
Own Id: OTP-20012
Related Id(s): PR-10825
Full runtime dependencies of kernel-10.6.1
crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0
ssh-5.5.1
Note! The ssh-5.5.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependency has to be satisfied:
-- crypto-5.7 (first satisfied in OTP 28.1)
Fixed Bugs and Malfunctions
-
Fixed path traversal vulnerability in SFTP server's root option allowing authenticated users to access sibling directories with matching name prefixes. The root option used string prefix matching instead of path component validation. With {root, "/home/user1"}, attackers could access /home/user10/ or /home/user123/. Thanks to Luigino Camastra, Aisle Research.
Own Id: OTP-20009
Related Id(s): PR-10811, CVE-2026-23942 -
Fixed excessive memory usage vulnerability in SSH compression allowing attackers to consume system resources through decompression bombs. The 'zlib' and 'zlib@openssh.com' algorithms lacked decompression size limits, allowing 256 KB packets to expand to 255 MB (1029:1 ratio). This could lead to crashes on systems with limited memory.
The fix removes zlib from default compression algorithms and implements decompression size limits for both algorithms. Thanks to Igor Morgenstern at Aisle Research
Own Id: OTP-20011
Related Id(s): PR-10813, CVE-2026-23943
Full runtime dependencies of ssh-5.5.1
crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0
ssl-11.5.3
Note! The ssl-11.5.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependencies have to be satisfied:
-- crypto-5.8 (first satisfied in OTP 28.3)
-- public_key-1.18.3 (first satisfied in OTP 28.1)
Fixed Bugs and Malfunctions
-
TLS-1.3 certificate request now preserves the order of signature algorithms in certificate request extension to be in the servers preferred order, which might affect the choice made by some TLS clients.
Own Id: OTP-20022
Related Id(s): ERIERL-1305, GH-10694, PR-10707
Improvements and New Features
-
Document that setting transport protocol specific socket options is not generally expected to work for TLS and if it happens to work it comes with consequences that should be understood an accepted by the user. Also retain some backwards compatibility with such an option that happened to work to buy time for people to come up with better solutions.
Own Id: OTP-20018
Related Id(s): ERIERL-1303, PR-10809
Full runtime dependencies of ssl-11.5.3
crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.18.3, runtime_tools-1.15.1, stdlib-7.0
Thanks to
Alexander Clouter, Hewwho
OTP 27.3.4.9
=== OTP-27.3.4.9 === Changed Applications: - inets-9.3.2.3 - ssh-5.2.11.6 - ssl-11.2.12.6 Unchanged Applications: - asn1-5.3.4.2 - common_test-1.27.7 - compiler-8.6.1.3 - crypto-5.5.3.1 - debugger-5.5.0.1 - dialyzer-5.3.1 - diameter-2.4.1.1 - edoc-1.3.2 - eldap-1.2.14.1 - erl_interface-5.5.2 - erts-15.2.7.6 - et-1.7.1 - eunit-2.9.1 - ftp-1.2.3 - jinterface-1.14.1 - kernel-10.2.7.3 - megaco-4.7.2.1 - mnesia-4.23.5.1 - observer-2.17 - odbc-2.15 - os_mon-2.10.1 - parsetools-2.6 - public_key-1.17.1.1 - reltool-1.0.1 - runtime_tools-2.1.1 - sasl-4.2.2 - snmp-5.18.2 - stdlib-6.2.2.3 - syntax_tools-3.2.2.2 - tftp-1.2.2.1 - tools-4.1.1 - wx-2.4.3.1 - xmerl-2.1.3.3
OTP 26.2.5.18
Patch Package: OTP 26.2.5.18
Git Tag: OTP-26.2.5.18
Date: 2026-03-12
Trouble Report Id: OTP-19795, OTP-20007, OTP-20009, OTP-20011,
OTP-20022
Seq num: CVE-2026-23941, CVE-2026-23942,
CVE-2026-23943, ERIERL-1305, GH-10694,
PR-10465, PR-10707, PR-10811, PR-10813,
PR-10833
System: OTP
Release: 26
Application: inets-9.1.0.5, ssh-5.1.4.14, ssl-11.1.4.12
Predecessor: OTP 26.2.5.17
Check out the git tag OTP-26.2.5.18, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- inets-9.1.0.5 ---------------------------------------------------
---------------------------------------------------------------------
The inets-9.1.0.5 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-20007 Application(s): inets
Related Id(s): PR-10833, CVE-2026-23941
The httpd server now rejects HTTP requests containing
multiple Content-Length headers with different values,
returning a 400 Bad Request response. This prevents
potential HTTP request smuggling attacks. Thanks
Luigino Camastra at Aisle Research for responsibly
disclosing this vulnerability
Full runtime dependencies of inets-9.1.0.5: erts-14.0, kernel-9.0,
mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0,
stdlib-5.0, stdlib-5.0
---------------------------------------------------------------------
--- ssh-5.1.4.14 ----------------------------------------------------
---------------------------------------------------------------------
The ssh-5.1.4.14 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-20009 Application(s): ssh
Related Id(s): PR-10811, CVE-2026-23942
Fixed path traversal vulnerability in SFTP server's
root option allowing authenticated users to access
sibling directories with matching name prefixes. The
root option used string prefix matching instead of path
component validation. With {root, "/home/user1"},
attackers could access /home/user10/ or /home/user123/.
Thanks to Luigino Camastra, Aisle Research.
OTP-20011 Application(s): ssh
Related Id(s): PR-10813, CVE-2026-23943
Fixed excessive memory usage vulnerability in SSH
compression allowing attackers to consume system
resources through decompression bombs. The 'zlib' and
'zlib@openssh.com' algorithms lacked decompression size
limits, allowing 256 KB packets to expand to 255 MB
(1029:1 ratio). This could lead to crashes on systems
with limited memory.
The fix removes zlib from default compression
algorithms and implements decompression size limits for
both algorithms. Thanks to Igor Morgenstern at Aisle
Research
Full runtime dependencies of ssh-5.1.4.14: crypto-5.0, erts-14.0,
kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0,
stdlib-5.0
---------------------------------------------------------------------
--- ssl-11.1.4.12 ---------------------------------------------------
---------------------------------------------------------------------
The ssl-11.1.4.12 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19795 Application(s): ssl
Related Id(s): PR-10465
Correct TLS-1.3 alert handling so server will always
send the alert with the encryption keys that the client
is expecting, that is if for instance if client
certification fails the alert will be sent using
application traffic encryption keys.
OTP-20022 Application(s): ssl
Related Id(s): ERIERL-1305, GH-10694, PR-10707
TLS-1.3 certificate request now preserves the order of
signature algorithms in certificate request extension
to be in the servers preferred order, which might
affect the choice made by some TLS clients.
Full runtime dependencies of ssl-11.1.4.12: crypto-5.0, erts-14.0,
inets-5.10.7, kernel-9.0, public_key-1.11.3, runtime_tools-1.15.1,
stdlib-4.1
---------------------------------------------------------------------
--- Thanks to -------------------------------------------------------
---------------------------------------------------------------------
Hewwho
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
OTP 28.4
Patch Package: OTP 28.4
Git Tag: OTP-28.4
Date: 2026-03-04
Trouble Report Id: OTP-16607, OTP-19824, OTP-19860, OTP-19886,
OTP-19892, OTP-19901, OTP-19904, OTP-19905,
OTP-19907, OTP-19908, OTP-19911, OTP-19913,
OTP-19914, OTP-19920, OTP-19923, OTP-19928,
OTP-19937, OTP-19939, OTP-19940, OTP-19941,
OTP-19948, OTP-19950, OTP-19951, OTP-19952,
OTP-19959, OTP-19972, OTP-19973, OTP-19974,
OTP-19976, OTP-19977, OTP-19979, OTP-19987,
OTP-19988, OTP-19989, OTP-19990, OTP-19992,
OTP-19998, OTP-20006
Seq num: ERIERL-1251, ERIERL-1264, ERIERL-1283,
GH-10351, GH-10371, GH-10470, GH-10474,
GH-10494, GH-10495, GH-10501, GH-10513,
GH-10567, GH-10652, GH-10698, GH-10705,
GH-9681, OTP-16608, PR-10271, PR-10385,
PR-10434, PR-10438, PR-10451, PR-10469,
PR-10484, PR-10486, PR-10496, PR-10512,
PR-10521, PR-10522, PR-10536, PR-10537,
PR-10546, PR-10550, PR-10576, PR-10583,
PR-10586, PR-10588, PR-10599, PR-10602,
PR-10623, PR-10624, PR-10625, PR-10630,
PR-10655, PR-10665, PR-10668, PR-10672,
PR-10673, PR-10675, PR-10678, PR-10684,
PR-10708, PR-10714, PR-10723, PR-10752,
PR-9695
System: OTP
Release: 28
Application: asn1-5.4.3, common_test-1.30, compiler-9.0.5,
crypto-5.8.2, diameter-2.6.1,
erl_interface-5.6.4, erts-16.3, et-1.7.3,
eunit-2.10.2, inets-9.6, kernel-10.6,
megaco-4.8.3, mnesia-4.25.2, observer-2.18.2,
odbc-2.16.1, parsetools-2.7.1,
public_key-1.20.2, reltool-1.0.3,
runtime_tools-2.3.1, sasl-4.3.1, snmp-5.20.1,
ssh-5.5, ssl-11.5.2, stdlib-7.3,
syntax_tools-4.0.3, tools-4.1.4, wx-2.5.4,
xmerl-2.1.9
Predecessor: OTP 28.3.3
Check out the git tag OTP-28.4, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
HIGHLIGHTS
-
Added support for the PQC key exchange (kex) algorithm mlkem768x25519-sha256, a hybrid quantum-resistant algorithm combining ML-KEM-768 with X25519.
Own Id: OTP-19824
Application(s): ssh
Related Id(s): [PR-10512], [PR-10655] -
Added
persistent_term:put_new/2that will quickly do nothing if a term with the given name and value already exists, and raise abadargexception if the term exists with a different value.Own Id: OTP-19908
Application(s): erts
Related Id(s): [GH-9681], [PR-9695]
POTENTIAL INCOMPATIBILITIES
-
Added a new HttpOption
{autoretry, timeout()}tohttpc:request/4,5. This option allows the client to decide how to act upon receiving a Retry-After response header. The default behavior changes, as now only one retry is made before returning the error code, instead of retrying infinitely.Own Id: OTP-19892
Application(s): inets
Related Id(s): ERIERL-1283, [PR-10469]
OTP-28.4
Improvements and New Features
-
Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.
A
make releaseapplication places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.make release_docsplaces the documentation in the released code under thedocfolder.make release_testsplaces the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.The Software Bill of Materials places the examples folders as if they are part of the
SPDX-otp-<app>-docpackge, instead of placing examples as if they were running source code.Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run
./Install -minimal \pwd`and add the release to thePATH. After that, one can run tests as usual, going into the released tests directory, enteringtest_server` and running the emulator.Improves the source Software-Bill-of-Materials
- The improvements adds new SPDX relations for
asmjitandzlibto beoptional_components_ofthe Erlang/OTP project. - The
autoconfscripts inmakeandertshave now been categorised asbuild_tool_ofthe Erlang/OTP project. - All remaining
configure,configure.ac,config.h.in,Makefile.in,Makefile.src,EMakefile, andGNUMakefileare now part of a specific SPDX package with relationbuild_tool_ofthe Erlang/OTP project.
Own Id: OTP-19886
Related Id(s): [PR-10434] - The improvements adds new SPDX relations for
-
The GH Actions CI forbids non-maintainers to commit
*.beamfiles to the Erlang/OTP repoOwn Id: OTP-19923
Related Id(s): [PR-10550] -
Updated
opensslfrom3.6.0to3.6.1.This change does not perform any changes in the
md5vendor implementation fromopenssl. The change merges upstream cosmetic changes fromopenssl. This is necessary to automatically migrate cleanly to the nextopensslversion without conflicts with upstream.Own Id: OTP-19959
Related Id(s): [PR-10630] -
The removal of the [
slave] and [slave] modules have been postponed to Erlang/OTP 31.The partial removal of the archive feature has been postponed to Erlang/OTP 30.
Own Id: OTP-19989
Related Id(s): [PR-10714]
asn1-5.4.3
The asn1-5.4.3 application can be applied independently of other applications on a full OTP 28 installation.
Improvements and New Features
-
Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages.
A
make releaseapplication places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore.make release_docsplaces the documentation in the released code under thedocfolder.make release_testsplaces the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore.The Software Bill of Materials places the examples folders as if they are part of the
SPDX-otp-<app>-docpackge, instead of placing examples as if they were running source code.Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run
./Install -minimal \pwd`and add the release to thePATH. After that, one can run tests as usual, going into the released tests directory, enteringtest_server` and running the emulator.Improves the source Software-Bill-of-Materials
- The improvements adds new SPDX relations for
asmjitandzlibto beoptional_components_ofthe Erlang/OTP project. - The
autoconfscripts inmakeandertshave now been categorised asbuild_tool_ofthe Erlang/OTP project. - All remaining
configure,configure.ac,config.h.in,Makefile.in,Makefile.src,EMakefile, andGNUMakefileare now part of a specific SPDX package with relationbuild_tool_ofthe Erlang/OTP project.
Own Id: OTP-19886
Related Id(s): [PR-10434] - The improvements adds new SPDX relations for
Full runtime dependencies of asn1-5.4.3
erts-14.0, kernel-9.0, stdlib-5.0
common_test-1.30
The common_test-1.30 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Added documentation about the behavior of
ct:comment/1andct:comment/2when executed from processes other than the process running test functions.Own Id: OTP-19913
Related Id(s): ERIERL-1264, [PR-10271]
Improvements and New Features
-
Updated jquery to 4.0.0
Own Id: OTP-19972
Related Id(s): [PR-10623], [PR-10624], [PR-10625], [PR-10665] -
The removal of the [
slave] and [slave] modules have been postponed to Erlang/OTP 31.The partial removal of the archive feature has been postponed to Erlang/OTP 30.
Own Id: OTP-19989
Related Id(s): [PR-10714]
Full runtime dependencies of common_test-1.30
compiler-6.0, crypto-4.5, debugger-4.1, erts-7.0, ftp-1.0, inets-6.0, kernel-8.4, observer-2.1, runtime_tools-1.8.16, sasl-2.5, snmp-5.1.2, ssh-4.0, stdlib-4.0, syntax_tools-1.7, tools-3.2, xmerl-1.3.8
compiler-9.0.5
The compiler-9.0.5 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed a compiler alias analysis bug that could generate unsafe code for repeated binary segments.
Own Id: OTP-19951
Related Id(s): [PR-10588]
Full runtime dependencies of compiler-9.0.5
crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0
crypto-5.8.2
The crypto-5.8.2 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed
crypto:crypto_one_time_aead/4, which could crash the runtime system if invoked in parallel with the same state.Own Id: OTP-19973
Related Id(s): [GH-10652], [PR-10668]
Full runtime dependencies of crypto-5.8.2
erts-9.0, ...
OTP 28.3.3
Patch Package: OTP 28.3.3
Git Tag: OTP-28.3.3
Date: 2026-02-27
Trouble Report Id: OTP-19902, OTP-20008
Seq num: PR-10518
System: OTP
Release: 28
Application: erl_interface-5.6.3, erts-16.2.2
Predecessor: OTP 28.3.2
Check out the git tag OTP-28.3.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
erl_interface-5.6.3
The erl_interface-5.6.3 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Add missing copyrights.
Own Id: OTP-20008
erts-16.2.2
The erts-16.2.2 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed bug in
erlang:monitor_nodefor rare reconnect race with multiple node monitoring from the same process.Own Id: OTP-19902
Related Id(s): PR-10518 -
Add missing copyrights.
Own Id: OTP-20008
Full runtime dependencies of erts-16.2.2
kernel-9.0, sasl-3.3, stdlib-4.1
OTP 28.3.2
Patch Package: OTP 28.3.2
Git Tag: OTP-28.3.2
Date: 2026-02-20
Trouble Report Id: OTP-19864, OTP-19915, OTP-19926, OTP-19958,
OTP-19962, OTP-19978, OTP-19981, OTP-19983,
OTP-19993
Seq num: CVE-2026-21620, GH-10651, GH-8676, PR-10539,
PR-10547, PR-10575, PR-10616, PR-10664,
PR-10696, PR-10706, PR-10732
System: OTP
Release: 28
Application: crypto-5.8.1, erts-16.2.1, ssh-5.4.1,
stdlib-7.2.1, tftp-1.2.4
Predecessor: OTP 28.3.1
Check out the git tag OTP-28.3.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
crypto-5.8.1
The crypto-5.8.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed static linking of OpenSSL 3.5+ on Windows.
Own Id: OTP-19993
Related Id(s): PR-10732
Full runtime dependencies of crypto-5.8.1
erts-9.0, kernel-6.0, stdlib-3.9
erts-16.2.1
The erts-16.2.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fail the windows build properly when nsis is not recognised.
Own Id: OTP-19926
Related Id(s): PR-10547 -
Socket accept cancel could cause fatal crash (core dump) on Windows.
Own Id: OTP-19958
-
Fixed bug in
ets:update_counter/4andets:update_element/4accepting and inserting a default tuple smaller than thekeyposof the table. Such a tuple without a key element would make the table internally inconsistent and might lead to bad behavior at table access, like ERTS runtime crash.Now a call to
ets:update_counter/4orets:update_element/4will fail withbadargif the key does not exist in the table and the default tuple is too small.Own Id: OTP-19962
Related Id(s): PR-10616 -
A missing memory barrier when unlocking process locks could cause unexpected behavior on architectures with weak memory ordering such as for example ARM.
Own Id: OTP-19978
Related Id(s): PR-10664 -
A process could fail to wake from hibernation when a nonβmessage signal followed by a message signal arrived concurrently as the receiving process hibernated. If the process had a large heap, triggering a dirty GC, the wakeup could be lost.
This bug existed since OTP 27.0.
Full runtime dependencies of erts-16.2.1
kernel-9.0, sasl-3.3, stdlib-4.1
ssh-5.4.1
The ssh-5.4.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fix handling of the SSH "each side may guess" key-exchange mechanism as defined in RFC 4253, Section 7.
-
Fix ssh_file:encode handling of OpenSSH V1 private keys generated by public_key module. Also correct type specifications for OpenSSH V1 keys in ssh_file encode and decode operations.
Own Id: OTP-19915
Related Id(s): PR-10539
Full runtime dependencies of ssh-5.4.1
crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0
stdlib-7.2.1
Note! The stdlib-7.2.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependency has to be satisfied:
-- erts-16.0.3 (first satisfied in OTP 28.0.3)
Fixed Bugs and Malfunctions
-
Fixed bug in
ets:update_counter/4andets:update_element/4accepting and inserting a default tuple smaller than thekeyposof the table. Such a tuple without a key element would make the table internally inconsistent and might lead to bad behavior at table access, like ERTS runtime crash.Now a call to
ets:update_counter/4orets:update_element/4will fail withbadargif the key does not exist in the table and the default tuple is too small.Own Id: OTP-19962
Related Id(s): PR-10616
Full runtime dependencies of stdlib-7.2.1
compiler-5.0, crypto-4.5, erts-16.0.3, kernel-10.0, sasl-3.0, syntax_tools-3.2.1
tftp-1.2.4
The tftp-1.2.4 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
An issue in the undocumented initial state option [{root_dir,Dir}] to the tftp_file module has been fixed. The request file name was just concatenated to Dir so it was possible to traverse above Dir by using "../" file path components. Now the option actually restricts local file operations to the Dir directory and subdirectories.
The initial state option and how to use it was previously undocumented, so it is unlikely that anyone would have used it without understanding its peculiarities.
The documentation of the TFTP application has also been clarified to make it obvious that the default server configuration allows read and write access to all files that are readable or writable by the user running the Erlang VM, and that the default configuration therefore should be avoided.
Thanks to Luigino Camastra at Aisle Research, for finding and reporting this issue.
Own Id: OTP-19981
Related Id(s): PR-10706, CVE-2026-21620
Full runtime dependencies of tftp-1.2.4
erts-6.0, kernel-6.0, stdlib-5.0
Thanks to
Daniel Hryzbil, Jan Uhlig
OTP 27.3.4.8
=== OTP-27.3.4.8 === Changed Applications: - crypto-5.5.3.1 - erts-15.2.7.6 - ssh-5.2.11.5 - stdlib-6.2.2.3 - tftp-1.2.2.1 Unchanged Applications: - asn1-5.3.4.2 - common_test-1.27.7 - compiler-8.6.1.3 - debugger-5.5.0.1 - dialyzer-5.3.1 - diameter-2.4.1.1 - edoc-1.3.2 - eldap-1.2.14.1 - erl_interface-5.5.2 - et-1.7.1 - eunit-2.9.1 - ftp-1.2.3 - inets-9.3.2.2 - jinterface-1.14.1 - kernel-10.2.7.3 - megaco-4.7.2.1 - mnesia-4.23.5.1 - observer-2.17 - odbc-2.15 - os_mon-2.10.1 - parsetools-2.6 - public_key-1.17.1.1 - reltool-1.0.1 - runtime_tools-2.1.1 - sasl-4.2.2 - snmp-5.18.2 - ssl-11.2.12.5 - syntax_tools-3.2.2.2 - tools-4.1.1 - wx-2.4.3.1 - xmerl-2.1.3.3
OTP 26.2.5.17
=== OTP-26.2.5.17 === Changed Applications: - compiler-8.4.3.4 - crypto-5.4.2.4 - erts-14.2.5.13 - megaco-4.5.0.1 - ssl-11.1.4.11 - stdlib-5.2.3.6 - tftp-1.1.1.1 - wx-2.4.1.1 Unchanged Applications: - asn1-5.2.2.1 - common_test-1.26.2.4 - debugger-5.3.4 - dialyzer-5.1.3.1 - diameter-2.3.2.2 - edoc-1.2.1 - eldap-1.2.12 - erl_docgen-1.5.2 - erl_interface-5.5.1 - et-1.7 - eunit-2.9 - ftp-1.2.1.1 - inets-9.1.0.4 - jinterface-1.14 - kernel-9.2.4.10 - mnesia-4.23.1.2 - observer-2.15.1 - odbc-2.14.2 - os_mon-2.9.1 - parsetools-2.5 - public_key-1.15.1.6 - reltool-1.0 - runtime_tools-2.0.1 - sasl-4.2.1 - snmp-5.15 - ssh-5.1.4.13 - syntax_tools-3.1.0.1 - tools-3.6 - xmerl-1.3.34.3
OTP 29.0-rc1
Inital Release: OTP 29.0
Git Tag: OTP-29.0
Date: 2026-02-11
Trouble Report Id: OTP-16607, OTP-19611, OTP-19643, OTP-19652,
OTP-19663, OTP-19672, OTP-19695, OTP-19708,
OTP-19709, OTP-19713, OTP-19734, OTP-19744,
OTP-19747, OTP-19750, OTP-19751, OTP-19763,
OTP-19764, OTP-19766, OTP-19775, OTP-19778,
OTP-19779, OTP-19783, OTP-19784, OTP-19785,
OTP-19786, OTP-19793, OTP-19800, OTP-19801,
OTP-19807, OTP-19809, OTP-19811, OTP-19815,
OTP-19822, OTP-19826, OTP-19834, OTP-19838,
OTP-19842, OTP-19853, OTP-19858, OTP-19866,
OTP-19874, OTP-19882, OTP-19887, OTP-19898,
OTP-19903, OTP-19906, OTP-19910, OTP-19912,
OTP-19917, OTP-19918, OTP-19919, OTP-19921,
OTP-19922, OTP-19925, OTP-19927, OTP-19930,
OTP-19932, OTP-19933, OTP-19934, OTP-19935,
OTP-19936, OTP-19938, OTP-19942, OTP-19943,
OTP-19949, OTP-19954, OTP-19956, OTP-19960,
OTP-19963, OTP-19964, OTP-19965, OTP-19966,
OTP-19968
Seq num: GH-10071, GH-10125, GH-10151, GH-10260,
GH-10341, GH-10345, GH-10558, GH-10559,
GH-10560, GH-10561, GH-10609, GH-8569,
GH-8993, GH-9822, OTP-16608, OTP-19827,
PR-10013, PR-10033, PR-10078, PR-10114,
PR-10115, PR-10126, PR-10134, PR-10144,
PR-10145, PR-10161, PR-10165, PR-10166,
PR-10168, PR-10187, PR-10189, PR-10193,
PR-10195, PR-10197, PR-10202, PR-10206,
PR-10207, PR-10209, PR-10213, PR-10218,
PR-10220, PR-10223, PR-10230, PR-10234,
PR-10253, PR-10269, PR-10276, PR-10277,
PR-10281, PR-10304, PR-10338, PR-10348,
PR-10372, PR-10382, PR-10387, PR-10417,
PR-10421, PR-10422, PR-10433, PR-10449,
PR-10453, PR-10510, PR-10511, PR-10514,
PR-10519, PR-10524, PR-10532, PR-10549,
PR-10554, PR-10556, PR-10566, PR-10568,
PR-10573, PR-10579, PR-10585, PR-10598,
PR-10601, PR-10613, PR-10615, PR-10617,
PR-10626, PR-10642, PR-10646, PR-10656,
PR-7118, PR-7315, PR-9115, PR-9125, PR-9134,
PR-9153, PR-9209, PR-9223, PR-9374, PR-9475,
PR-9790, PR-9864, PR-9866, PR-9894, PR-9899,
PR-9934, PR-9984
System: OTP
Release: 29
Application: asn1-5.5, common_test-1.30, compiler-10.0,
crypto-5.9, debugger-6.1, dialyzer-6.0,
diameter-2.7, edoc-1.5, eldap-1.3,
erl_interface-5.7, erts-17.0, et-1.8,
eunit-2.11, ftp-1.3, inets-9.6,
jinterface-1.16, kernel-11.0, megaco-4.9,
mnesia-4.26, observer-2.19, odbc-2.17,
os_mon-2.12, parsetools-2.8, public_key-1.21,
reltool-1.1, runtime_tools-2.4, sasl-4.4,
snmp-5.21, ssh-5.5, ssl-11.5.2, stdlib-8.0,
syntax_tools-4.1, tftp-1.3, tools-4.2,
wx-2.6, xmerl-2.2
Predecessor: OTP
Check out the git tag OTP-29.0, and build a full OTP system including documentation.
HIGHLIGHTS
-
The JIT now generates better code for matching or creating binaries with multiple little-endian segments.
Own Id: OTP-19747
Application(s): erts
Related Id(s): [PR-10126] -
In the documentation for the [
compile] module, a section has been added with recommendations for implementors of languages running on the BEAM. Documentation has also been added for theto_abstr,to_exp, andfrom_abstroptions.The documentation for [erlc] now lists
.abstras one of the supported options.When compiling with the
to_abstroption, the resulting.abstrfile now retains any-docattributes present in the source code.Own Id: OTP-19784
Application(s): compiler, erts
Related Id(s): [PR-10230], [PR-10234] -
Native records as described in EEP-79 has been implemented.
A native record is a data structure similar to the traditional tuple-based records, except that is a true data type.
Native records are considered experimental in Erlang/OTP 29 and possibly also in Erlang/OTP 30, meaning that their behavior may change, potentially requiring updates to applications that use them.
Own Id: OTP-19785
Application(s): compiler, dialyzer, erts, stdlib
Related Id(s): [PR-10617] -
The guard BIF
is_integer/3has been added. It follows the design of the original EEP-16, only changing the name fromis_betweentois_integer. This BIF takes in 3 parameters,Term,LowerBound, andUpperBound.It returns
trueifTerm,LowerBound, andUpperBoundare all integers, andLowerBound =< Term =< UpperBound; otherwise, it returns false.Example:
1> I = 42. 2> is_integer(I, 0, 100). true
Own Id: OTP-19809
Application(s): compiler, dialyzer, erts
Related Id(s): [PR-10276] -
There are new functions for random permutation of a list:
rand:shuffle/1andrand:shuffle_s/2. They are inspired by a suggestion and discussion on ErlangForums.Own Id: OTP-19826
Application(s): stdlib
Related Id(s): [PR-10281] -
In the default code path for the Erlang system, the current working directory (
.) is now in the last position instead of the first.Own Id: OTP-19842
Application(s): erts, kernel*** POTENTIAL INCOMPATIBILITY ***
-
Function application is now left associative. That means one can now write:
f(X)(Y)instead of:
(f(X))(Y)Own Id: OTP-19866
Application(s): compiler
Related Id(s): [PR-9223] -
There will now be a warning when exporting variables out of a subexpression. For example:
case file:open(File, AllOpts = [write,{encoding,utf8}]) of {ok,Fd} -> {Fd,AllOpts} endTo avoid the warning, this can be rewritten to:
AllOpts = [write,{encoding,utf8}], case file:open(File, AllOpts) of {ok,Fd} -> {Fd,AllOpts} endThe warning can be suppressed by giving option
nowarn_export_var_subexprto the compiler.Own Id: OTP-19898
Application(s): compiler, stdlib
Related Id(s): [PR-9134] -
By default, the compiler will now warn for uses of the
andandoroperators.This warning can be suppressed using the
nowarn_obsolete_bool_opcompiler option.Own Id: OTP-19918
Application(s): compiler
Related Id(s): [PR-9115] -
Before Erlang/OTP 29, attempting to bind variables in a comprehension would compile successfully but fail at runtime. Example:
1> fh(List) -> [H || E <- List, H = erlang:phash2(E), H rem 10 =:= 0]. ok 2> fh(lists:seq(1, 10)). * exception error: bad filter 2614250In Erlang/OTP 29, attempting to bind a variable in a comprehension will fail by default:
1> fh(List) -> [H || E <- List, H = erlang:phash2(E), H rem 10 =:= 0]. * 5:14: matches using '=' are not allowed in comprehension qualifiers unless the experimental 'compr_assign' language feature is enabled. With 'compr_assign' enabled, a match 'P = E' will behave as a strict generator 'P <-:- [E]'."However, this example will work as expected if the
compr_assignfeature is enabled when starting the runtime system:$ erl -enable-feature compr_assign . . . 1> fh(List) -> [H || E <- List, H = erlang:phash2(E), H rem 10 =:= 0]. ok 2> fh(lists:seq(1, 10)). [2614250]Here is another example how
compr_assigncan be used:-module(example). -feature(compr_assign, enable). -export([cat/1]). cat(Files) -> [Char || F <- Files, {ok, Bin} = file:read_file(F), Char <- unicode:characters_to_list(Bin)].Own Id: OTP-19927
Application(s): compiler, stdlib
Related Id(s): [PR-9153]*** POTENTIAL INCOMPATIBILITY ***
-
There will now be a warning when using the
catchoperator, which has been deprecated for a long time.It is recommended to instead use
try...catchbut is also possible to disable the warning by using thenowarn_deprecated_catchoption.Own Id: OTP-19938
Application(s): compiler, stdlib
Related Id(s): [PR-10421] -
Multi-valued comprehensions according to [EEP 78] has been implemented.
Example:
> [I, -I || I <- lists:seq(1, 5)]. [1,-1,2,-2,3,-3,4,-4,5,-5]
Own Id: OTP-19942
Application(s): compiler, debugger, stdlib, syntax_tools
Related Id(s): [PR-9374] -
There will now be a warning for matches that unify constructors, such as the following:
m({a,B} = {Y,Z}) -> . . .Such a match can be rewritten to:
m({a=Y,B=B}) -> . . .The compiler option
nowarn_match_alias_patscan be used to disable the warning.Own Id: OTP-19943
Application(s): compiler, stdlib
Related Id(s): [PR-10433] -
There is no longer a 32-bit Erlang/OTP build for Windows.
Own Id: OTP-19960
Application(s): otp -
The default key exchange algorithm is now mlkem768x25519-sha256, a hybrid quantum-resistant algorithm combining ML-KEM-768 with X25519. This provides protection against both classical and quantum computer attacks while maintaining ba...