https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq reports:
Erlang/OTP's public_key application contains a
path-validation flaw where non-CA certificates lacking
keyUsage extensions can be accepted as intermediate issuers.
An attacker with an end-entity certificate issued by a
trusted CA can exploit this to forge arbitrary leaf
certificates, allowing public_key:pkix_path_validation/3 to
validate fraudulent certificate chains and potentially
compromise systems relying on SSL/TLS validation.