Search criteria

115 vulnerabilities

CVE-2026-54891 (GCVE-0-2026-54891)

Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:29
VLAI?
Title
Plaintext APPLICATION_DATA injected during TLS handshake delivered to client application post-handshake in ssl
Summary
Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Erlang/OTP ssl (tls_gen_connection module) allows a network-positioned attacker to inject unauthenticated plaintext that the TLS client application later treats as authenticated server data. The function tls_gen_connection:handle_protocol_record/3 rejects APPLICATION_DATA records that arrive in pre-handshake states when the TLS endpoint acts as a server, but does not apply the same check when the endpoint acts as a client. A network-positioned attacker can send plaintext APPLICATION_DATA records to the client during the handshake. The records are buffered and, once the handshake completes successfully, delivered to the application as if they were authenticated post-handshake data. The attacker cannot observe the client's response or steer the connection, so the impact is limited to blind injection of unauthenticated bytes. The injection window is wider for TLS versions prior to TLS 1.3 than for TLS 1.3. This vulnerability is associated with program file lib/ssl/src/tls_gen_connection.erl. This issue affects OTP from OTP 17.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 5.3.4 before 11.7.3, 11.6.0.3 and 11.2.12.10. TLS 1.3 is affected starting with OTP 22.0, when TLS 1.3 support was added.
CWE
  • CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 5.3.4 , < * (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
Affected: 84adefa331c4159d432d22840663c38f155cd4c1 , < 07d2d0e93f6aaf7652a81e8df075fc1728da5e96 (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Lukas Backström Ingela Anderton Andin Dan Gudmundsson Jakub Witczak
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54891",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T17:24:44.468465Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T17:24:50.025Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "tls_gen_connection"
          ],
          "packageName": "ssl",
          "packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/tls_gen_connection.erl"
          ],
          "programRoutines": [
            {
              "name": "tls_gen_connection:handle_protocol_record/3"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.7.3",
                  "status": "unaffected"
                },
                {
                  "at": "11.6.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "11.2.12.10",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "5.3.4",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "tls_gen_connection"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/ssl/src/tls_gen_connection.erl"
          ],
          "programRoutines": [
            {
              "name": "tls_gen_connection:handle_protocol_record/3"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "29.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "17.0",
              "versionType": "otp"
            },
            {
              "lessThan": "07d2d0e93f6aaf7652a81e8df075fc1728da5e96",
              "status": "affected",
              "version": "84adefa331c4159d432d22840663c38f155cd4c1",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.14",
                  "versionStartIncluding": "17.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.3",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.3",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lukas Backstr\u00f6m"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ingela Anderton Andin"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Dan Gudmundsson"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Jakub Witczak"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Erlang/OTP ssl (tls_gen_connection module) allows a network-positioned attacker to inject unauthenticated plaintext that the TLS client application later treats as authenticated server data.\u003c/p\u003e\u003cp\u003eThe function \u003ctt\u003etls_gen_connection:handle_protocol_record/3\u003c/tt\u003e rejects \u003ctt\u003eAPPLICATION_DATA\u003c/tt\u003e records that arrive in pre-handshake states when the TLS endpoint acts as a server, but does not apply the same check when the endpoint acts as a client. A network-positioned attacker can send plaintext \u003ctt\u003eAPPLICATION_DATA\u003c/tt\u003e records to the client during the handshake. The records are buffered and, once the handshake completes successfully, delivered to the application as if they were authenticated post-handshake data. The attacker cannot observe the client\u0027s response or steer the connection, so the impact is limited to blind injection of unauthenticated bytes. The injection window is wider for TLS versions prior to TLS 1.3 than for TLS 1.3.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssl/src/tls_gen_connection.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 5.3.4 before 11.7.3, 11.6.0.3 and 11.2.12.10. TLS 1.3 is affected starting with OTP 22.0, when TLS 1.3 support was added.\u003c/p\u003e"
            }
          ],
          "value": "Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Erlang/OTP ssl (tls_gen_connection module) allows a network-positioned attacker to inject unauthenticated plaintext that the TLS client application later treats as authenticated server data.\n\nThe function tls_gen_connection:handle_protocol_record/3 rejects APPLICATION_DATA records that arrive in pre-handshake states when the TLS endpoint acts as a server, but does not apply the same check when the endpoint acts as a client. A network-positioned attacker can send plaintext APPLICATION_DATA records to the client during the handshake. The records are buffered and, once the handshake completes successfully, delivered to the application as if they were authenticated post-handshake data. The attacker cannot observe the client\u0027s response or steer the connection, so the impact is limited to blind injection of unauthenticated bytes. The injection window is wider for TLS versions prior to TLS 1.3 than for TLS 1.3.\n\nThis vulnerability is associated with program file lib/ssl/src/tls_gen_connection.erl.\n\nThis issue affects OTP from OTP 17.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 5.3.4 before 11.7.3, 11.6.0.3 and 11.2.12.10. TLS 1.3 is affected starting with OTP 22.0, when TLS 1.3 support was added."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-94",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-94 Adversary in the Middle (AiTM)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-924",
              "description": "CWE-924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T04:29:42.794Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-gf6r-99xw-6qg6"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-54891.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-54891"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/07d2d0e93f6aaf7652a81e8df075fc1728da5e96"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Plaintext APPLICATION_DATA injected during TLS handshake delivered to client application post-handshake in ssl",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-54891",
    "datePublished": "2026-07-02T16:06:30.982Z",
    "dateReserved": "2026-06-16T10:47:13.915Z",
    "dateUpdated": "2026-07-03T04:29:42.794Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-55950 (GCVE-0-2026-55950)

Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:29
VLAI?
Title
DTLS listener crash via race condition in dtls_packet_demux causes denial of service for all sessions
Summary
Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener. A DTLS server listener uses a single shared dtls_packet_demux gen_server process to route incoming UDP datagrams to the correct connection handler. When a DTLS client reconnects rapidly from the same source address and port (sending multiple ClientHello messages in quick succession), a race condition in the demux's internal gb_trees key-value store causes a {key_exists, {old, Client}} crash, terminating the demux process. Because the demux is shared across all DTLS associations on that listener, its crash immediately kills every active DTLS session, not just the attacker's. The attack is pre-authentication: the attacker only needs to send UDP datagrams containing valid ClientHello messages from the same source IP and port before the intermediate DOWN monitor message is processed by the gen_server. No credentials, no completed handshake, and no special configuration are required, and the crash can be repeated indefinitely to create a persistent denial of service for all clients of that listener. This vulnerability is associated with program file lib/ssl/src/dtls_packet_demux.erl. This issue affects OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10.
CWE
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 10.9 , < * (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
    Erlang OTP Affected: 25.3 , < * (otp)
Affected: 44dcb4c3d900777493ce2a6129f451aa475811f9 , < e44d2bf01c4473ef2ea7f09e3523cf96de6e4a04 (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Lukas Backström Ingela Anderton Andin Dan Gudmundsson
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55950",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T17:25:47.169172Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T17:25:53.041Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "dtls_packet_demux"
          ],
          "packageName": "ssl",
          "packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/dtls_packet_demux.erl"
          ],
          "programRoutines": [
            {
              "name": "dtls_packet_demux:handle_call/3"
            },
            {
              "name": "dtls_packet_demux:handle_info/2"
            },
            {
              "name": "dtls_packet_demux:new_connection/2"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.7.3",
                  "status": "unaffected"
                },
                {
                  "at": "11.6.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "11.2.12.10",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "10.9",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "dtls_packet_demux"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/ssl/src/dtls_packet_demux.erl"
          ],
          "programRoutines": [
            {
              "name": "dtls_packet_demux:handle_call/3"
            },
            {
              "name": "dtls_packet_demux:handle_info/2"
            },
            {
              "name": "dtls_packet_demux:new_connection/2"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "29.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "25.3",
              "versionType": "otp"
            },
            {
              "lessThan": "e44d2bf01c4473ef2ea7f09e3523cf96de6e4a04",
              "status": "affected",
              "version": "44dcb4c3d900777493ce2a6129f451aa475811f9",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe application must accept incoming DTLS connections via \u003ctt\u003essl:listen/2\u003c/tt\u003e with a UDP-based transport. TLS-only deployments are not affected.\u003c/p\u003e"
            }
          ],
          "value": "The application must accept incoming DTLS connections via ssl:listen/2 with a UDP-based transport. TLS-only deployments are not affected."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.14",
                  "versionStartIncluding": "25.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.3",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.3",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lukas Backstr\u00f6m"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ingela Anderton Andin"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Dan Gudmundsson"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eTime-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (\u003ctt\u003edtls_packet_demux\u003c/tt\u003e module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener.\u003c/p\u003e\u003cp\u003eA DTLS server listener uses a single shared \u003ctt\u003edtls_packet_demux\u003c/tt\u003e \u003ctt\u003egen_server\u003c/tt\u003e process to route incoming UDP datagrams to the correct connection handler. When a DTLS client reconnects rapidly from the same source address and port (sending multiple \u003ctt\u003eClientHello\u003c/tt\u003e messages in quick succession), a race condition in the demux\u0027s internal \u003ctt\u003egb_trees\u003c/tt\u003e key-value store causes a \u003ctt\u003e{key_exists, {old, Client}}\u003c/tt\u003e crash, terminating the demux process. Because the demux is shared across all DTLS associations on that listener, its crash immediately kills every active DTLS session, not just the attacker\u0027s.\u003c/p\u003e\u003cp\u003eThe attack is pre-authentication: the attacker only needs to send UDP datagrams containing valid \u003ctt\u003eClientHello\u003c/tt\u003e messages from the same source IP and port before the intermediate \u003ctt\u003eDOWN\u003c/tt\u003e monitor message is processed by the \u003ctt\u003egen_server\u003c/tt\u003e. No credentials, no completed handshake, and no special configuration are required, and the crash can be repeated indefinitely to create a persistent denial of service for all clients of that listener.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssl/src/dtls_packet_demux.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10.\u003c/p\u003e"
            }
          ],
          "value": "Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener.\n\nA DTLS server listener uses a single shared dtls_packet_demux gen_server process to route incoming UDP datagrams to the correct connection handler. When a DTLS client reconnects rapidly from the same source address and port (sending multiple ClientHello messages in quick succession), a race condition in the demux\u0027s internal gb_trees key-value store causes a {key_exists, {old, Client}} crash, terminating the demux process. Because the demux is shared across all DTLS associations on that listener, its crash immediately kills every active DTLS session, not just the attacker\u0027s.\n\nThe attack is pre-authentication: the attacker only needs to send UDP datagrams containing valid ClientHello messages from the same source IP and port before the intermediate DOWN monitor message is processed by the gen_server. No credentials, no completed handshake, and no special configuration are required, and the crash can be repeated indefinitely to create a persistent denial of service for all clients of that listener.\n\nThis vulnerability is associated with program file lib/ssl/src/dtls_packet_demux.erl.\n\nThis issue affects OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-29",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T04:29:33.147Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-hwfc-5hf4-gvr3"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-55950.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-55950"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/e44d2bf01c4473ef2ea7f09e3523cf96de6e4a04"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "DTLS listener crash via race condition in dtls_packet_demux causes denial of service for all sessions",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-55950",
    "datePublished": "2026-07-02T16:06:24.783Z",
    "dateReserved": "2026-06-17T17:55:15.685Z",
    "dateUpdated": "2026-07-03T04:29:33.147Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54886 (GCVE-0-2026-54886)

Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:29
VLAI?
Title
SSH SFTP server denial of service via extended channel data infinite loop
Summary
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive. The handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop. The SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit. The targeted ssh_sftpd process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM's reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact. Erlang/OTP SSH configurations using the default max_channels setting (infinity) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications. No file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth. This vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4. This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
CWE
  • CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 3.0.1 , < * (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
Affected: 84adefa3318eef8631bf25cd233246a86eea18cd , < eaf9550b8ad4738b81149d3f617102d980c6dd18 (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Lukas Backström Michał Wąsowski Jakub Witczak
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54886",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T17:27:25.414155Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T17:27:30.648Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "ssh_sftpd"
          ],
          "packageName": "ssh",
          "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/ssh_sftpd.erl"
          ],
          "programRoutines": [
            {
              "name": "ssh_sftpd:handle_data/4"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "6.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "5.5.2.2",
                  "status": "unaffected"
                },
                {
                  "at": "5.2.11.9",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "3.0.1",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "ssh_sftpd"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/ssh/src/ssh_sftpd.erl"
          ],
          "programRoutines": [
            {
              "name": "ssh_sftpd:handle_data/4"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "29.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "17.0",
              "versionType": "otp"
            },
            {
              "lessThan": "eaf9550b8ad4738b81149d3f617102d980c6dd18",
              "status": "affected",
              "version": "84adefa3318eef8631bf25cd233246a86eea18cd",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.3",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.3",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lukas Backstr\u00f6m"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Micha\u0142 W\u0105sowski"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Jakub Witczak"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in Erlang OTP \u003ctt\u003essh\u003c/tt\u003e (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive.\u003cp\u003eThe \u003ctt\u003ehandle_data/4\u003c/tt\u003e function in \u003ctt\u003essh_sftpd\u003c/tt\u003e contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (\u003ctt\u003eSSH_MSG_CHANNEL_EXTENDED_DATA\u003c/tt\u003e) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop.\u003c/p\u003e\u003cp\u003eThe SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending \u003ctt\u003eSSH_MSG_CHANNEL_EXTENDED_DATA\u003c/tt\u003e with any \u003ctt\u003edata_type_code\u003c/tt\u003e and any non-empty payload at or below the size limit.\u003c/p\u003e\u003cp\u003eThe targeted \u003ctt\u003essh_sftpd\u003c/tt\u003e process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM\u0027s reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact.\u003c/p\u003e\u003cp\u003eErlang/OTP SSH configurations using the default \u003ctt\u003emax_channels\u003c/tt\u003e setting (\u003ctt\u003einfinity\u003c/tt\u003e) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications.\u003c/p\u003e\u003cp\u003eNo file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routine \u003ctt\u003essh_sftpd:handle_data/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to \u003ctt\u003essh\u003c/tt\u003e from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.\u003c/p\u003e"
            }
          ],
          "value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive.\n\nThe handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop.\n\nThe SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit.\n\nThe targeted ssh_sftpd process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM\u0027s reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact.\n\nErlang/OTP SSH configurations using the default max_channels setting (infinity) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications.\n\nNo file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth.\n\nThis vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-835",
              "description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T04:29:26.056Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-7wp4-pc27-2vj9"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-54886.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-54886"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/eaf9550b8ad4738b81149d3f617102d980c6dd18"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "SSH SFTP server denial of service via extended channel data infinite loop",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cul\u003e\u003cli\u003eSet the \u003ctt\u003emax_channels\u003c/tt\u003e daemon option to a finite value (e.g., \u003ctt\u003e{max_channels, 10}\u003c/tt\u003e) to limit the number of channels an attacker can open per connection.\u003c/li\u003e\u003cli\u003eSet the \u003ctt\u003emax_sessions\u003c/tt\u003e daemon option to limit total concurrent SSH connections to the daemon.\u003c/li\u003e\u003cli\u003eUse external process monitoring to detect and kill \u003ctt\u003essh_sftpd\u003c/tt\u003e processes with abnormally high reduction counts and growing message queues.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "* Set the max_channels daemon option to a finite value (e.g., {max_channels, 10}) to limit the number of channels an attacker can open per connection.\n* Set the max_sessions daemon option to limit total concurrent SSH connections to the daemon.\n* Use external process monitoring to detect and kill ssh_sftpd processes with abnormally high reduction counts and growing message queues.\n* Ensure that the SFTP server port is not reachable from untrusted machines."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-54886",
    "datePublished": "2026-07-02T16:06:20.502Z",
    "dateReserved": "2026-06-16T10:47:13.914Z",
    "dateUpdated": "2026-07-03T04:29:26.056Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-55952 (GCVE-0-2026-55952)

Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:29
VLAI?
Title
TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension
Summary
The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys record with a mismatched number of identities and binders is forwarded directly to tls_server_session_ticket:use/4, which crashes the session ticket handler process. An unauthenticated remote attacker can send a single crafted ClientHello to a TLS 1.3 server with session tickets enabled (stateful or stateless mode) and permanently disrupt session ticket handling on that listener. New TLS 1.3 handshakes complete but subsequently crash when the server attempts to issue a session ticket, effectively making TLS 1.3 unusable on the affected listener until the ssl application is restarted. TLS 1.2 connections are not affected. This issue affects OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10.
CWE
  • CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 9.5 , < * (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
    Erlang OTP Affected: 22.2 , < * (otp)
Affected: 339a279f02ce38a7b23010e56000613e19abb21f , < * (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Lukas Backström Ingela Anderton Andin Dan Gudmundsson Jakub Witczak
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55952",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T17:28:09.569991Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T17:28:15.681Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "tls_handshake_1_3"
          ],
          "packageName": "ssl",
          "packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/tls_handshake_1_3.erl"
          ],
          "programRoutines": [
            {
              "name": "tls_handshake_1_3:handle_pre_shared_key/3"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.7.3",
                  "status": "unaffected"
                },
                {
                  "at": "11.6.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "11.2.12.10",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "9.5",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "tls_handshake_1_3"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/ssl/src/tls_handshake_1_3.erl"
          ],
          "programRoutines": [
            {
              "name": "tls_handshake_1_3:handle_pre_shared_key/3"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "29.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "22.2",
              "versionType": "otp"
            },
            {
              "changes": [
                {
                  "at": "e77823e6d980b2ec0b4fe4ea3f2d098ca239e3ce",
                  "status": "unaffected"
                },
                {
                  "at": "2c3e599797644310e5d4aa39c7193420e59dadff",
                  "status": "unaffected"
                },
                {
                  "at": "9b5437c72fa3403a75c1aba28e5c532bc191c662",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "339a279f02ce38a7b23010e56000613e19abb21f",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe vulnerability only affects TLS 1.3 servers that have session tickets enabled (either stateful or stateless mode). TLS 1.2 connections and clients are not affected.\u003c/p\u003e"
            }
          ],
          "value": "The vulnerability only affects TLS 1.3 servers that have session tickets enabled (either stateful or stateless mode). TLS 1.2 connections and clients are not affected."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.14",
                  "versionStartIncluding": "22.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.3",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.3",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lukas Backstr\u00f6m"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ingela Anderton Andin"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Dan Gudmundsson"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Jakub Witczak"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe Erlang/OTP \u003ctt\u003essl\u003c/tt\u003e application does not validate that the PSK identity list and binder list carried in a TLS 1.3 \u003ctt\u003eClientHello\u003c/tt\u003e pre-shared key extension have equal length before passing them to the session ticket handler. In \u003ctt\u003etls_handshake_1_3:handle_pre_shared_key/3\u003c/tt\u003e, an \u003ctt\u003eOfferedPreSharedKeys\u003c/tt\u003e record with a mismatched number of identities and binders is forwarded directly to \u003ctt\u003etls_server_session_ticket:use/4\u003c/tt\u003e, which crashes the session ticket handler process.\u003c/p\u003e\u003cp\u003eAn unauthenticated remote attacker can send a single crafted \u003ctt\u003eClientHello\u003c/tt\u003e to a TLS 1.3 server with session tickets enabled (stateful or stateless mode) and permanently disrupt session ticket handling on that listener. New TLS 1.3 handshakes complete but subsequently crash when the server attempts to issue a session ticket, effectively making TLS 1.3 unusable on the affected listener until the \u003ctt\u003essl\u003c/tt\u003e application is restarted. TLS 1.2 connections are not affected.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10.\u003c/p\u003e"
            }
          ],
          "value": "The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys record with a mismatched number of identities and binders is forwarded directly to tls_server_session_ticket:use/4, which crashes the session ticket handler process.\n\nAn unauthenticated remote attacker can send a single crafted ClientHello to a TLS 1.3 server with session tickets enabled (stateful or stateless mode) and permanently disrupt session ticket handling on that listener. New TLS 1.3 handshakes complete but subsequently crash when the server attempts to issue a session ticket, effectively making TLS 1.3 unusable on the affected listener until the ssl application is restarted. TLS 1.2 connections are not affected.\n\nThis issue affects OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-153",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-153 Input Data Manipulation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "CWE-1284 Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T04:29:07.026Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-8c57-44c9-pc59"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-55952.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-55952"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/e77823e6d980b2ec0b4fe4ea3f2d098ca239e3ce"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/2c3e599797644310e5d4aa39c7193420e59dadff"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/9b5437c72fa3403a75c1aba28e5c532bc191c662"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cul\u003e\u003cli\u003eDisable session tickets on TLS 1.3 servers by setting \u003ctt\u003esession_tickets\u003c/tt\u003e to \u003ctt\u003edisabled\u003c/tt\u003e in the server\u0027s \u003ctt\u003essl\u003c/tt\u003e options.\u003c/li\u003e\u003cli\u003eRestrict the server to TLS 1.2 by setting \u003ctt\u003eversions\u003c/tt\u003e to \u003ctt\u003e[\u0027tlsv1.2\u0027]\u003c/tt\u003e in the server\u0027s \u003ctt\u003essl\u003c/tt\u003e options.\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "* Disable session tickets on TLS 1.3 servers by setting session_tickets to disabled in the server\u0027s ssl options.\n* Restrict the server to TLS 1.2 by setting versions to [\u0027tlsv1.2\u0027] in the server\u0027s ssl options."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-55952",
    "datePublished": "2026-07-02T16:06:08.474Z",
    "dateReserved": "2026-06-17T17:55:15.686Z",
    "dateUpdated": "2026-07-03T04:29:07.026Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54887 (GCVE-0-2026-54887)

Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:29
VLAI?
Title
DTLS server cookie bypass during startup window due to empty initial cookie secret
Summary
Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass. On DTLS server startup, dtls_server_connection:initial_hello/3 initializes previous_cookie_secret to the empty binary (<<>>) instead of a random value. Because HMAC with an empty key is deterministic, anyone who observes the plaintext ClientHello can compute dtls_handshake:cookie(<<>>, IP, Port, Hello) and forge a valid DTLS cookie before the first rotation of the cookie secret. The DTLS cookie (RFC 6347 §4.2.1) is a denial-of-service mitigation that prevents spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations; it is not an authentication mechanism. During the window from server startup until the first secret rotation (0 to 15 seconds), an attacker who can observe the plaintext ClientHello can bypass the source address verification, enabling DTLS handshake amplification with spoofed source addresses. This vulnerability is associated with program file lib/ssl/src/dtls_server_connection.erl and program routine dtls_server_connection:initial_hello/3. This issue affects OTP from OTP 20.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 8.2 before 11.7.3, 11.6.0.3 and 11.2.12.10.
CWE
  • CWE-1394 - Use of Default Cryptographic Key
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 8.2 , < * (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
    Erlang OTP Affected: 20.0 , < * (otp)
Affected: e594aad2f87aab39e99fccf9e021bc94e0bbf7d4 , < 888e3bcd72d5406016b9e0de741026bc2a6f114d (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Lukas Backström Ingela Anderton Andin Dan Gudmundsson
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54887",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T17:28:36.936306Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T17:28:43.784Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "dtls_server_connection"
          ],
          "packageName": "ssl",
          "packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/dtls_server_connection.erl"
          ],
          "programRoutines": [
            {
              "name": "dtls_server_connection:initial_hello/3"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.7.3",
                  "status": "unaffected"
                },
                {
                  "at": "11.6.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "11.2.12.10",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "8.2",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "dtls_server_connection"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/ssl/src/dtls_server_connection.erl"
          ],
          "programRoutines": [
            {
              "name": "dtls_server_connection:initial_hello/3"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "29.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "20.0",
              "versionType": "otp"
            },
            {
              "lessThan": "888e3bcd72d5406016b9e0de741026bc2a6f114d",
              "status": "affected",
              "version": "e594aad2f87aab39e99fccf9e021bc94e0bbf7d4",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.14",
                  "versionStartIncluding": "20.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.3",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.3",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lukas Backstr\u00f6m"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ingela Anderton Andin"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Dan Gudmundsson"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUse of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass.\u003c/p\u003e\u003cp\u003eOn DTLS server startup, \u003ctt\u003edtls_server_connection:initial_hello/3\u003c/tt\u003e initializes \u003ctt\u003eprevious_cookie_secret\u003c/tt\u003e to the empty binary (\u003ctt\u003e\u0026lt;\u0026lt;\u0026gt;\u0026gt;\u003c/tt\u003e) instead of a random value. Because HMAC with an empty key is deterministic, anyone who observes the plaintext \u003ctt\u003eClientHello\u003c/tt\u003e can compute \u003ctt\u003edtls_handshake:cookie(\u0026lt;\u0026lt;\u0026gt;\u0026gt;, IP, Port, Hello)\u003c/tt\u003e and forge a valid DTLS cookie before the first rotation of the cookie secret. The DTLS cookie (RFC 6347 \u00a74.2.1) is a denial-of-service mitigation that prevents spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations; it is not an authentication mechanism. During the window from server startup until the first secret rotation (0 to 15 seconds), an attacker who can observe the plaintext \u003ctt\u003eClientHello\u003c/tt\u003e can bypass the source address verification, enabling DTLS handshake amplification with spoofed source addresses.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssl/src/dtls_server_connection.erl\u003c/tt\u003e and program routine \u003ctt\u003edtls_server_connection:initial_hello/3\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 20.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 8.2 before 11.7.3, 11.6.0.3 and 11.2.12.10.\u003c/p\u003e"
            }
          ],
          "value": "Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass.\n\nOn DTLS server startup, dtls_server_connection:initial_hello/3 initializes previous_cookie_secret to the empty binary (\u003c\u003c\u003e\u003e) instead of a random value. Because HMAC with an empty key is deterministic, anyone who observes the plaintext ClientHello can compute dtls_handshake:cookie(\u003c\u003c\u003e\u003e, IP, Port, Hello) and forge a valid DTLS cookie before the first rotation of the cookie secret. The DTLS cookie (RFC 6347 \u00a74.2.1) is a denial-of-service mitigation that prevents spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations; it is not an authentication mechanism. During the window from server startup until the first secret rotation (0 to 15 seconds), an attacker who can observe the plaintext ClientHello can bypass the source address verification, enabling DTLS handshake amplification with spoofed source addresses.\n\nThis vulnerability is associated with program file lib/ssl/src/dtls_server_connection.erl and program routine dtls_server_connection:initial_hello/3.\n\nThis issue affects OTP from OTP 20.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 8.2 before 11.7.3, 11.6.0.3 and 11.2.12.10."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-485",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-485 Signature Spoofing by Key Recreation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1394",
              "description": "CWE-1394 Use of Default Cryptographic Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T04:29:00.191Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-p2m2-3c2w-8jp8"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-54887.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-54887"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/888e3bcd72d5406016b9e0de741026bc2a6f114d"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "DTLS server cookie bypass during startup window due to empty initial cookie secret",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-54887",
    "datePublished": "2026-07-02T16:06:04.156Z",
    "dateReserved": "2026-06-16T10:47:13.915Z",
    "dateUpdated": "2026-07-03T04:29:00.191Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53422 (GCVE-0-2026-53422)

Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:28
VLAI?
Title
SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root
Summary
Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory. The SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths. An authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points. The vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4. This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
CWE
  • CWE-204 - Observable Response Discrepancy
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 3.0.1 , < * (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
Affected: 84adefa331c4159d432d22840663c38f155cd4c1 , < * (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Mohamed Ali IBNAL HAJALI / Ericsson Michał Wąsowski Jakub Witczak
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53422",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T17:29:13.490797Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T17:29:32.878Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "ssh_sftpd"
          ],
          "packageName": "ssh",
          "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/ssh_sftpd.erl"
          ],
          "programRoutines": [
            {
              "name": "ssh_sftpd:handle_op/4"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "6.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "5.5.2.2",
                  "status": "unaffected"
                },
                {
                  "at": "5.2.11.9",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "3.0.1",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "ssh_sftpd"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/ssh/src/ssh_sftpd.erl"
          ],
          "programRoutines": [
            {
              "name": "ssh_sftpd:handle_op/4"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "29.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.3",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "17.0",
              "versionType": "otp"
            },
            {
              "changes": [
                {
                  "at": "059e5785ef8c1d423820ca633fb7b37f47645172",
                  "status": "unaffected"
                },
                {
                  "at": "86622cfaacf57a02c7645d1999f946846b504c94",
                  "status": "unaffected"
                },
                {
                  "at": "c5a8f50ae68888ff243c5c741a06d2b3a4b48b7a",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "84adefa331c4159d432d22840663c38f155cd4c1",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe SFTP subsystem must be configured with the \u003ctt\u003eroot\u003c/tt\u003e option in \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e, and the operator must rely on it to provide filesystem path isolation. The \u003ctt\u003eroot\u003c/tt\u003e option is not set by default.\u003c/p\u003e"
            }
          ],
          "value": "The SFTP subsystem must be configured with the root option in ssh_sftpd:subsystem_spec/1, and the operator must rely on it to provide filesystem path isolation. The root option is not set by default."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.3",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.3",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mohamed Ali IBNAL HAJALI / Ericsson"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Micha\u0142 W\u0105sowski"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Jakub Witczak"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eObservable Response Discrepancy vulnerability in Erlang OTP \u003ctt\u003essh\u003c/tt\u003e (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eSSH_FXP_REALPATH\u003c/tt\u003e handler in \u003ctt\u003essh_sftpd\u003c/tt\u003e calls \u003ctt\u003erelate_file_name/3\u003c/tt\u003e with \u003ctt\u003eCanonicalize=false\u003c/tt\u003e, unlike every other SFTP operation handler. This allows \u003ctt\u003e..\u003c/tt\u003e components in the requested path to bypass the \u003ctt\u003eis_within_root/2\u003c/tt\u003e check without being resolved. The un-canonicalized path then enters \u003ctt\u003eresolve_symlinks/2\u003c/tt\u003e, which walks up the directory tree above the configured root and issues \u003ctt\u003eread_link()\u003c/tt\u003e syscalls on arbitrary filesystem paths.\u003c/p\u003e\u003cp\u003eAn authenticated SFTP client can exploit this by sending a \u003ctt\u003eREALPATH\u003c/tt\u003e request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (\u003ctt\u003eSSH_FXP_NAME\u003c/tt\u003e when the path resolves successfully, \u003ctt\u003eSSH_FX_NO_SUCH_FILE\u003c/tt\u003e when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points.\u003c/p\u003e\u003cp\u003eThe vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routine \u003ctt\u003essh_sftpd:handle_op/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to \u003ctt\u003essh\u003c/tt\u003e from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.\u003c/p\u003e"
            }
          ],
          "value": "Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory.\n\nThe SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths.\n\nAn authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points.\n\nThe vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-54",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-54 Query System for Information"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204 Observable Response Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T04:28:59.578Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-h9pw-h5w4-h976"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-53422.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-53422"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/059e5785ef8c1d423820ca633fb7b37f47645172"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/86622cfaacf57a02c7645d1999f946846b504c94"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/c5a8f50ae68888ff243c5c741a06d2b3a4b48b7a"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM or SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level \u003ctt\u003eroot\u003c/tt\u003e option.\u003c/li\u003e\u003cli\u003eEnsure the SFTP server port on the machine running the Erlang/OTP SFTP server is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive information (usernames, project names, mount topology) is inferrable from the existence or non-existence of paths on the host filesystem.\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "* Use OS-level chroot to run the Erlang VM or SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level root option.\n* Ensure the SFTP server port on the machine running the Erlang/OTP SFTP server is not reachable from untrusted machines.\n* Ensure that no sensitive information (usernames, project names, mount topology) is inferrable from the existence or non-existence of paths on the host filesystem."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-53422",
    "datePublished": "2026-07-02T16:06:03.802Z",
    "dateReserved": "2026-06-09T11:01:47.529Z",
    "dateUpdated": "2026-07-03T04:28:59.578Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53426 (GCVE-0-2026-53426)

Vulnerability from cvelistv5 – Published: 2026-06-29 19:11 – Updated: 2026-06-30 04:38
VLAI?
Title
Atom-table exhaustion denial-of-service via JSON parse_document in MDEx
Summary
Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation. MDEx.parse_document/2 accepts a {:json, json} source. In lib/mdex.ex, the private json_to_node/1 function passes the attacker-controlled node_type value to Module.concat/1, which calls String.to_atom/1 and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique node_type at each (deeply nested) node mints one permanent atom per node. A single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the {:json, ...} source of MDEx.parse_document is exposed to an unauthenticated denial-of-service. This issue affects mdex from 0.4.3 before 0.13.2.
CWE
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
EEF
Impacted products
Vendor Product Version
leandrocp mdex Affected: 0.4.3 , < 0.13.2 (semver)
    cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Create a notification for this product.
    leandrocp mdex Affected: cbb59a3f792dbc343873adec3466f49c853dc309 , < 00fddf444220a1f1cc0af0a1cab6738804878387 (git)
    cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Leandro Pereira Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53426",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T20:49:38.921685Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T20:49:48.817Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDEx\u0027"
          ],
          "packageName": "mdex",
          "packageURL": "pkg:hex/mdex",
          "product": "mdex",
          "programFiles": [
            "lib/mdex.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.MDEx\u0027:parse_document/2"
            },
            {
              "name": "\u0027Elixir.MDEx\u0027:json_to_node/1"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "0.13.2",
              "status": "affected",
              "version": "0.4.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDEx\u0027"
          ],
          "packageName": "leandrocp/mdex",
          "packageURL": "pkg:github/leandrocp/mdex",
          "product": "mdex",
          "programFiles": [
            "lib/mdex.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.MDEx\u0027:parse_document/2"
            },
            {
              "name": "\u0027Elixir.MDEx\u0027:json_to_node/1"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "00fddf444220a1f1cc0af0a1cab6738804878387",
              "status": "affected",
              "version": "cbb59a3f792dbc343873adec3466f49c853dc309",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.13.2",
                  "versionStartIncluding": "0.4.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Leandro Pereira"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation.\u003c/p\u003e\u003cp\u003e\u003ctt\u003eMDEx.parse_document/2\u003c/tt\u003e accepts a \u003ctt\u003e{:json, json}\u003c/tt\u003e source. In \u003ctt\u003elib/mdex.ex\u003c/tt\u003e, the private \u003ctt\u003ejson_to_node/1\u003c/tt\u003e function passes the attacker-controlled \u003ctt\u003enode_type\u003c/tt\u003e value to \u003ctt\u003eModule.concat/1\u003c/tt\u003e, which calls \u003ctt\u003eString.to_atom/1\u003c/tt\u003e and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique \u003ctt\u003enode_type\u003c/tt\u003e at each (deeply nested) node mints one permanent atom per node.\u003c/p\u003e\u003cp\u003eA single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the \u003ctt\u003e{:json, ...}\u003c/tt\u003e source of \u003ctt\u003eMDEx.parse_document\u003c/tt\u003e is exposed to an unauthenticated denial-of-service.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.4.3 before 0.13.2.\u003c/p\u003e"
            }
          ],
          "value": "Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation.\n\nMDEx.parse_document/2 accepts a {:json, json} source. In lib/mdex.ex, the private json_to_node/1 function passes the attacker-controlled node_type value to Module.concat/1, which calls String.to_atom/1 and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique node_type at each (deeply nested) node mints one permanent atom per node.\n\nA single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the {:json, ...} source of MDEx.parse_document is exposed to an unauthenticated denial-of-service.\n\nThis issue affects mdex from 0.4.3 before 0.13.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T04:38:27.190Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/leandrocp/mdex/security/advisories/GHSA-923r-7vf4-5vw8"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-53426.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-53426"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/leandrocp/mdex/commit/00fddf444220a1f1cc0af0a1cab6738804878387"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Atom-table exhaustion denial-of-service via JSON parse_document in MDEx",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDo not pass untrusted or attacker-controlled input to the \u003ctt\u003e{:json, ...}\u003c/tt\u003e source of \u003ctt\u003eMDEx.parse_document/2\u003c/tt\u003e. The \u003ctt\u003e{:markdown, ...}\u003c/tt\u003e source is not affected.\u003c/p\u003e"
            }
          ],
          "value": "Do not pass untrusted or attacker-controlled input to the {:json, ...} source of MDEx.parse_document/2. The {:markdown, ...} source is not affected."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-53426",
    "datePublished": "2026-06-29T19:11:32.605Z",
    "dateReserved": "2026-06-09T11:01:47.529Z",
    "dateUpdated": "2026-06-30T04:38:27.190Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54889 (GCVE-0-2026-54889)

Vulnerability from cvelistv5 – Published: 2026-06-29 19:10 – Updated: 2026-06-30 04:38
VLAI?
Title
Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)
Summary
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta "link" or "image" attribute without applying a scheme allowlist or any normalization. An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an <a href> or <img src>, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in <img src> generally does not execute in modern browsers. This issue affects mdex: from 0.8.3 before 0.13.2.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
EEF
Impacted products
Vendor Product Version
leandrocp mdex Affected: 0.8.3 , < 0.13.2 (semver)
    cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Create a notification for this product.
    leandrocp mdex Affected: 9852db2456fdc9d856eb636603a7f608e22e3793 , < 2817147f5b87ce7186aa604c9ee72499485b8f2f (git)
    cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Leandro Pereira Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54889",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T20:48:34.044130Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T20:48:52.206Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/leandrocp/mdex/security/advisories/GHSA-4383-7xfp-gpph"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDEx\u0027",
            "\u0027Elixir.MDEx.DeltaConverter\u0027"
          ],
          "packageName": "mdex",
          "packageURL": "pkg:hex/mdex",
          "product": "mdex",
          "programFiles": [
            "lib/mdex.ex",
            "lib/mdex/delta_converter.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.MDEx\u0027:to_delta/2"
            },
            {
              "name": "\u0027Elixir.MDEx.DeltaConverter\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "0.13.2",
              "status": "affected",
              "version": "0.8.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDEx\u0027",
            "\u0027Elixir.MDEx.DeltaConverter\u0027"
          ],
          "packageName": "leandrocp/mdex",
          "packageURL": "pkg:github/leandrocp/mdex",
          "product": "mdex",
          "programFiles": [
            "lib/mdex.ex",
            "lib/mdex/delta_converter.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.MDEx\u0027:to_delta/2"
            },
            {
              "name": "\u0027Elixir.MDEx.DeltaConverter\u0027:convert/2"
            },
            {
              "name": "\u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "2817147f5b87ce7186aa604c9ee72499485b8f2f",
              "status": "affected",
              "version": "9852db2456fdc9d856eb636603a7f608e22e3793",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe application must pass untrusted Markdown to \u003ctt\u003e\u0027Elixir.MDEx\u0027:to_delta/2\u003c/tt\u003e and then render the resulting Quill Delta to HTML with a renderer that maps the \u003ctt\u003e\"link\"\u003c/tt\u003e and \u003ctt\u003e\"image\"\u003c/tt\u003e attributes to \u003ctt\u003ehref\u003c/tt\u003e and \u003ctt\u003esrc\u003c/tt\u003e without applying its own URL scheme sanitization (for example \u003ctt\u003equill-delta-to-html\u003c/tt\u003e or the Quill client).\u003c/p\u003e"
            }
          ],
          "value": "The application must pass untrusted Markdown to \u0027Elixir.MDEx\u0027:to_delta/2 and then render the resulting Quill Delta to HTML with a renderer that maps the \"link\" and \"image\" attributes to href and src without applying its own URL scheme sanitization (for example quill-delta-to-html or the Quill client)."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.13.2",
                  "versionStartIncluding": "0.8.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Leandro Pereira"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.\u003cp\u003e\u003ctt\u003e\u0027Elixir.MDEx\u0027:to_delta/2\u003c/tt\u003e converts Markdown into a Quill Delta. \u003ctt\u003e\u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3\u003c/tt\u003e in \u003ctt\u003elib/mdex/delta_converter.ex\u003c/tt\u003e copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta \u003ctt\u003e\"link\"\u003c/tt\u003e or \u003ctt\u003e\"image\"\u003c/tt\u003e attribute without applying a scheme allowlist or any normalization.\u003c/p\u003e\u003cp\u003eAn attacker who controls the Markdown text can supply a \u003ctt\u003ejavascript:\u003c/tt\u003e URL (for example \u003ctt\u003e[click](javascript:alert(document.cookie))\u003c/tt\u003e) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as \u003ctt\u003equill-delta-to-html\u003c/tt\u003e or the Quill client), the attribute becomes an \u003ctt\u003e\u0026lt;a href\u0026gt;\u003c/tt\u003e or \u003ctt\u003e\u0026lt;img src\u0026gt;\u003c/tt\u003e, and the \u003ctt\u003ejavascript:\u003c/tt\u003e scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because \u003ctt\u003ejavascript:\u003c/tt\u003e in an \u003ctt\u003ehref\u003c/tt\u003e executes on click; the image case is lower impact because \u003ctt\u003ejavascript:\u003c/tt\u003e in \u003ctt\u003e\u0026lt;img src\u0026gt;\u003c/tt\u003e generally does not execute in modern browsers.\u003c/p\u003e\u003cp\u003eThis issue affects mdex: from 0.8.3 before 0.13.2.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.\n\n\u0027Elixir.MDEx\u0027:to_delta/2 converts Markdown into a Quill Delta. \u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta \"link\" or \"image\" attribute without applying a scheme allowlist or any normalization.\n\nAn attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an \u003ca href\u003e or \u003cimg src\u003e, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in \u003cimg src\u003e generally does not execute in modern browsers.\n\nThis issue affects mdex: from 0.8.3 before 0.13.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-244",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-244 XSS Targeting URI Placeholders"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T04:38:42.158Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/leandrocp/mdex/security/advisories/GHSA-4383-7xfp-gpph"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-54889.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-54889"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/leandrocp/mdex/commit/2817147f5b87ce7186aa604c9ee72499485b8f2f"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSanitize the Quill Delta produced by \u003ctt\u003e\u0027Elixir.MDEx\u0027:to_delta/2\u003c/tt\u003e before rendering it: drop or blank any \u003ctt\u003e\"link\"\u003c/tt\u003e or \u003ctt\u003e\"image\"\u003c/tt\u003e value whose URL scheme is not in a safe allowlist (\u003ctt\u003ehttp\u003c/tt\u003e, \u003ctt\u003ehttps\u003c/tt\u003e, \u003ctt\u003emailto\u003c/tt\u003e, \u003ctt\u003etel\u003c/tt\u003e).\u003c/p\u003e"
            }
          ],
          "value": "Sanitize the Quill Delta produced by \u0027Elixir.MDEx\u0027:to_delta/2 before rendering it: drop or blank any \"link\" or \"image\" value whose URL scheme is not in a safe allowlist (http, https, mailto, tel)."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-54889",
    "datePublished": "2026-06-29T19:10:49.841Z",
    "dateReserved": "2026-06-16T10:47:13.915Z",
    "dateUpdated": "2026-06-30T04:38:42.158Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54888 (GCVE-0-2026-54888)

Vulnerability from cvelistv5 – Published: 2026-06-29 19:10 – Updated: 2026-06-30 04:37
VLAI?
Title
Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex
Summary
Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input. mdex converts between an Elixir %MDEx.Document{} struct and Comrak's internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack. Because the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required. The vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.
CWE
Assigner
EEF
Impacted products
Vendor Product Version
leandrocp mdex Affected: 0.3.0 , < 0.12.3 (semver)
    cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Create a notification for this product.
    leandrocp mdex Affected: d0bc7d55177727c61d188ef465178ab3b81f4f2c , < 6ed94d905f97af188323f042698ae841c02293b4 (git)
    cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Create a notification for this product.
    leandrocp mdex_native Affected: 0.1.0 , < 0.2.3 (semver)
    cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*
Create a notification for this product.
    leandrocp mdex_native Affected: 956528c5e31746253347029e810a969ab916fd27 , < 947696c47bc22bea5dffc0f78c946fa6b70ce183 (git)
    cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Leandro Pereira Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54888",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T20:47:22.348133Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T20:47:50.953Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-3w4f-53g2-f66p"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "comrak_nif",
            "\u0027Elixir.MDEx\u0027",
            "\u0027Elixir.MDEx.Native\u0027"
          ],
          "packageName": "mdex",
          "packageURL": "pkg:hex/mdex",
          "product": "mdex",
          "programFiles": [
            "native/comrak_nif/src/types/document.rs",
            "lib/mdex.ex",
            "lib/mdex/native.ex"
          ],
          "programRoutines": [
            {
              "name": "comrak_nif::types::document::ex_document_to_comrak_ast"
            },
            {
              "name": "comrak_nif::types::document::comrak_ast_to_ex_document"
            },
            {
              "name": "\u0027Elixir.MDEx\u0027:parse_document!/1"
            },
            {
              "name": "\u0027Elixir.MDEx\u0027:to_html/1"
            },
            {
              "name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "0.12.3",
              "status": "affected",
              "version": "0.3.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "comrak_nif",
            "\u0027Elixir.MDEx\u0027",
            "\u0027Elixir.MDEx.Native\u0027"
          ],
          "packageName": "leandrocp/mdex",
          "packageURL": "pkg:github/leandrocp/mdex",
          "product": "mdex",
          "programFiles": [
            "native/comrak_nif/src/types/document.rs",
            "lib/mdex.ex",
            "lib/mdex/native.ex"
          ],
          "programRoutines": [
            {
              "name": "comrak_nif::types::document::ex_document_to_comrak_ast"
            },
            {
              "name": "comrak_nif::types::document::comrak_ast_to_ex_document"
            },
            {
              "name": "\u0027Elixir.MDEx\u0027:parse_document!/1"
            },
            {
              "name": "\u0027Elixir.MDEx\u0027:to_html/1"
            },
            {
              "name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
              "status": "affected",
              "version": "d0bc7d55177727c61d188ef465178ab3b81f4f2c",
              "versionType": "git"
            }
          ]
        },
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "mdex_native_nif",
            "\u0027Elixir.MDExNative.Native\u0027"
          ],
          "packageName": "mdex_native",
          "packageURL": "pkg:hex/mdex_native",
          "product": "mdex_native",
          "programFiles": [
            "native/mdex_native_nif/src/types/document.rs",
            "lib/mdex_native/native.ex"
          ],
          "programRoutines": [
            {
              "name": "mdex_native_nif::types::document::ex_document_to_comrak_ast"
            },
            {
              "name": "mdex_native_nif::types::document::comrak_ast_to_ex_document"
            },
            {
              "name": "\u0027Elixir.MDExNative.Native\u0027:parse_document/2"
            },
            {
              "name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex_native",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "0.2.3",
              "status": "affected",
              "version": "0.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "mdex_native_nif",
            "\u0027Elixir.MDExNative.Native\u0027"
          ],
          "packageName": "leandrocp/mdex_native",
          "packageURL": "pkg:github/leandrocp/mdex_native",
          "product": "mdex_native",
          "programFiles": [
            "native/mdex_native_nif/src/types/document.rs",
            "lib/mdex_native/native.ex"
          ],
          "programRoutines": [
            {
              "name": "mdex_native_nif::types::document::ex_document_to_comrak_ast"
            },
            {
              "name": "mdex_native_nif::types::document::comrak_ast_to_ex_document"
            },
            {
              "name": "\u0027Elixir.MDExNative.Native\u0027:parse_document/2"
            },
            {
              "name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex_native",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "947696c47bc22bea5dffc0f78c946fa6b70ce183",
              "status": "affected",
              "version": "956528c5e31746253347029e810a969ab916fd27",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.12.3",
                  "versionStartIncluding": "0.3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.2.3",
                  "versionStartIncluding": "0.1.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Leandro Pereira"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.\u003c/p\u003e\u003cp\u003emdex converts between an Elixir \u003ctt\u003e%MDEx.Document{}\u003c/tt\u003e struct and Comrak\u0027s internal AST using two mutually recursive Rust functions, \u003ctt\u003eex_document_to_comrak_ast\u003c/tt\u003e and \u003ctt\u003ecomrak_ast_to_ex_document\u003c/tt\u003e, in the NIF source file \u003ctt\u003edocument.rs\u003c/tt\u003e. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through \u003ctt\u003eMDEx.parse_document!/1\u003c/tt\u003e or \u003ctt\u003eMDEx.to_html/1\u003c/tt\u003e) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.\u003c/p\u003e\u003cp\u003eBecause the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.\u003c/p\u003e\u003cp\u003eThe vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
            }
          ],
          "value": "Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.\n\nmdex converts between an Elixir %MDEx.Document{} struct and Comrak\u0027s internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.\n\nBecause the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.\n\nThe vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackVector": "LOCAL",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674 Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T04:37:59.369Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-3w4f-53g2-f66p"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-54888.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-54888"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/leandrocp/mdex_native/commit/947696c47bc22bea5dffc0f78c946fa6b70ce183"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-54888",
    "datePublished": "2026-06-29T19:10:38.151Z",
    "dateReserved": "2026-06-16T10:47:13.915Z",
    "dateUpdated": "2026-06-30T04:37:59.369Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53429 (GCVE-0-2026-53429)

Vulnerability from cvelistv5 – Published: 2026-06-29 19:07 – Updated: 2026-06-30 04:38
VLAI?
Title
Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service
Summary
Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion. The native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each %MDEx.EscapedTag{} node into its native representation (From<ExEscapedTag> for NodeValue in the Rust NIF) calls Box::leak on the caller-supplied literal string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed. Both the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks literal_size x node_count bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public MDEx.to_html/1 entry point and any other API that renders a supplied %MDEx.Document{}. Any application that uses mdex (or mdex_native directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it. The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/types/document.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/types/document.rs), where it remains unpatched. This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
CWE
  • CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
EEF
Impacted products
Vendor Product Version
leandrocp mdex Affected: 0.11.0 , < 0.12.3 (semver)
    cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Create a notification for this product.
    leandrocp mdex Affected: 81e4d14dd3aa5b206e395c7f372b9b413793015f , < 6ed94d905f97af188323f042698ae841c02293b4 (git)
    cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Create a notification for this product.
    leandrocp mdex_native Affected: 0.1.0 , < 0.2.3 (semver)
    cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*
Create a notification for this product.
    leandrocp mdex_native Affected: 956528c5e31746253347029e810a969ab916fd27 , < cbd927fb5061b488de8d90a8ef6df65718ca1fe6 (git)
    cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Leandro Pereira Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53429",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T20:45:00.827777Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T20:45:38.367Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-cmvp-gp9f-23xw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDEx\u0027",
            "comrak_nif"
          ],
          "packageName": "mdex",
          "packageURL": "pkg:hex/mdex",
          "product": "mdex",
          "programFiles": [
            "native/comrak_nif/src/types/document.rs"
          ],
          "programRoutines": [
            {
              "name": "comrak_nif::document_to_html_with_options"
            },
            {
              "name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
            },
            {
              "name": "\u0027Elixir.MDEx\u0027:to_html/1"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "0.12.3",
              "status": "affected",
              "version": "0.11.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDEx\u0027",
            "comrak_nif"
          ],
          "packageName": "leandrocp/mdex",
          "packageURL": "pkg:github/leandrocp/mdex",
          "product": "mdex",
          "programFiles": [
            "native/comrak_nif/src/types/document.rs"
          ],
          "programRoutines": [
            {
              "name": "comrak_nif::document_to_html_with_options"
            },
            {
              "name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
            },
            {
              "name": "\u0027Elixir.MDEx\u0027:to_html/1"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
              "status": "affected",
              "version": "81e4d14dd3aa5b206e395c7f372b9b413793015f",
              "versionType": "git"
            }
          ]
        },
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDExNative.Comrak\u0027",
            "mdex_native_nif"
          ],
          "packageName": "mdex_native",
          "packageURL": "pkg:hex/mdex_native",
          "product": "mdex_native",
          "programFiles": [
            "native/mdex_native_nif/src/types/document.rs"
          ],
          "programRoutines": [
            {
              "name": "mdex_native_nif::document_to_html_with_options"
            },
            {
              "name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
            },
            {
              "name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex_native",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "0.2.3",
              "status": "affected",
              "version": "0.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDExNative.Comrak\u0027",
            "mdex_native_nif"
          ],
          "packageName": "leandrocp/mdex_native",
          "packageURL": "pkg:github/leandrocp/mdex_native",
          "product": "mdex_native",
          "programFiles": [
            "native/mdex_native_nif/src/types/document.rs"
          ],
          "programRoutines": [
            {
              "name": "mdex_native_nif::document_to_html_with_options"
            },
            {
              "name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
            },
            {
              "name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex_native",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "cbd927fb5061b488de8d90a8ef6df65718ca1fe6",
              "status": "affected",
              "version": "956528c5e31746253347029e810a969ab916fd27",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.12.3",
                  "versionStartIncluding": "0.11.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.2.3",
                  "versionStartIncluding": "0.1.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Leandro Pereira"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.\u003cp\u003eThe native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each \u003ctt\u003e%MDEx.EscapedTag{}\u003c/tt\u003e node into its native representation (\u003ctt\u003eFrom\u0026lt;ExEscapedTag\u0026gt; for NodeValue\u003c/tt\u003e in the Rust NIF) calls \u003ctt\u003eBox::leak\u003c/tt\u003e on the caller-supplied \u003ctt\u003eliteral\u003c/tt\u003e string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.\u003c/p\u003e\u003cp\u003eBoth the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks \u003ctt\u003eliteral_size \u0026times; node_count\u003c/tt\u003e bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public \u003ctt\u003eMDEx.to_html/1\u003c/tt\u003e entry point and any other API that renders a supplied \u003ctt\u003e%MDEx.Document{}\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eAny application that uses \u003ctt\u003emdex\u003c/tt\u003e (or \u003ctt\u003emdex_native\u003c/tt\u003e directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/types/document.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/types/document.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
            }
          ],
          "value": "Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.\n\nThe native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each %MDEx.EscapedTag{} node into its native representation (From\u003cExEscapedTag\u003e for NodeValue in the Rust NIF) calls Box::leak on the caller-supplied literal string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.\n\nBoth the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks literal_size x node_count bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public MDEx.to_html/1 entry point and any other API that renders a supplied %MDEx.Document{}.\n\nAny application that uses mdex (or mdex_native directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/types/document.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/types/document.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T04:38:14.140Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-cmvp-gp9f-23xw"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-53429.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-53429"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/leandrocp/mdex_native/commit/cbd927fb5061b488de8d90a8ef6df65718ca1fe6"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-53429",
    "datePublished": "2026-06-29T19:07:16.954Z",
    "dateReserved": "2026-06-09T11:01:47.529Z",
    "dateUpdated": "2026-06-30T04:38:14.140Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53428 (GCVE-0-2026-53428)

Vulnerability from cvelistv5 – Published: 2026-06-29 18:52 – Updated: 2026-06-30 04:38
VLAI?
Title
Unbounded memory allocation in highlight_lines range expansion in mdex
Summary
Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation. comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block's highlight_lines decorator into a Vec<usize>, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines="1-100000000", forcing the native adapter to allocate roughly 8 bytes per line in the range. A payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory. The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched. This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
Assigner
EEF
Impacted products
Vendor Product Version
leandrocp mdex Affected: 0.11.0 , < 0.12.3 (semver)
    cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Create a notification for this product.
    leandrocp mdex Affected: a8407611715d1ead35fbcba79c72cef1b7df387b , < 6ed94d905f97af188323f042698ae841c02293b4 (git)
    cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Create a notification for this product.
    leandrocp mdex_native Affected: 0.1.0 , < 0.2.3 (semver)
    cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*
Create a notification for this product.
    leandrocp mdex_native Affected: 956528c5e31746253347029e810a969ab916fd27 , < 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3 (git)
    cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Leandro Pereira Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53428",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T19:17:11.005816Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T19:17:25.070Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDEx\u0027",
            "comrak_nif"
          ],
          "packageName": "mdex",
          "packageURL": "pkg:hex/mdex",
          "product": "mdex",
          "programFiles": [
            "native/comrak_nif/src/lumis_adapter.rs"
          ],
          "programRoutines": [
            {
              "name": "comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
            },
            {
              "name": "\u0027Elixir.MDEx\u0027:to_html/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "0.12.3",
              "status": "affected",
              "version": "0.11.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDEx\u0027",
            "comrak_nif"
          ],
          "packageName": "leandrocp/mdex",
          "packageURL": "pkg:github/leandrocp/mdex",
          "product": "mdex",
          "programFiles": [
            "native/comrak_nif/src/lumis_adapter.rs"
          ],
          "programRoutines": [
            {
              "name": "comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
            },
            {
              "name": "\u0027Elixir.MDEx\u0027:to_html/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
              "status": "affected",
              "version": "a8407611715d1ead35fbcba79c72cef1b7df387b",
              "versionType": "git"
            }
          ]
        },
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDExNative.Comrak\u0027",
            "mdex_native_nif"
          ],
          "packageName": "mdex_native",
          "packageURL": "pkg:hex/mdex_native",
          "product": "mdex_native",
          "programFiles": [
            "native/mdex_native_nif/src/lumis_adapter.rs"
          ],
          "programRoutines": [
            {
              "name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
            },
            {
              "name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
            },
            {
              "name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex_native",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "0.2.3",
              "status": "affected",
              "version": "0.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDExNative.Comrak\u0027",
            "mdex_native_nif"
          ],
          "packageName": "leandrocp/mdex_native",
          "packageURL": "pkg:github/leandrocp/mdex_native",
          "product": "mdex_native",
          "programFiles": [
            "native/mdex_native_nif/src/lumis_adapter.rs"
          ],
          "programRoutines": [
            {
              "name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
            },
            {
              "name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
            },
            {
              "name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex_native",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3",
              "status": "affected",
              "version": "956528c5e31746253347029e810a969ab916fd27",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eExploitation requires the application to enable code-block decorators. Decorators are active only when the render options \u003ctt\u003egithub_pre_lang\u003c/tt\u003e and \u003ctt\u003efull_info_string\u003c/tt\u003e are both set and an inline syntax-highlight formatter (for example \u003ctt\u003e{:html_inline, ...}\u003c/tt\u003e) is configured. Applications that render Markdown with the default options do not parse \u003ctt\u003ehighlight_lines\u003c/tt\u003e specifications and are not affected.\u003c/p\u003e"
            }
          ],
          "value": "Exploitation requires the application to enable code-block decorators. Decorators are active only when the render options github_pre_lang and full_info_string are both set and an inline syntax-highlight formatter (for example {:html_inline, ...}) is configured. Applications that render Markdown with the default options do not parse highlight_lines specifications and are not affected."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.12.3",
                  "versionStartIncluding": "0.11.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.2.3",
                  "versionStartIncluding": "0.1.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Leandro Pereira"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.\u003cp\u003e\u003ctt\u003ecomrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines\u003c/tt\u003e in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e eagerly expands a user-controlled inclusive line range from a fenced code block\u0027s \u003ctt\u003ehighlight_lines\u003c/tt\u003e decorator into a \u003ctt\u003eVec\u0026lt;usize\u0026gt;\u003c/tt\u003e, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with \u003ctt\u003eMDEx.to_html/2\u003c/tt\u003e (for example a comment, chat message, or wiki page) can embed a code block whose info string is \u003ctt\u003erust highlight_lines=\"1-100000000\"\u003c/tt\u003e, forcing the native adapter to allocate roughly 8 bytes per line in the range.\u003c/p\u003e\u003cp\u003eA payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example \u003ctt\u003e1-2000000000\u003c/tt\u003e) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/lumis_adapter.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
            }
          ],
          "value": "Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.\n\ncomrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block\u0027s highlight_lines decorator into a Vec\u003cusize\u003e, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines=\"1-100000000\", forcing the native adapter to allocate roughly 8 bytes per line in the range.\n\nA payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789 Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T04:38:36.755Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-j93q-9cvj-rxfm"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-53428.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-53428"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Unbounded memory allocation in highlight_lines range expansion in mdex",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDo not enable code-block decorators: leave the \u003ctt\u003egithub_pre_lang\u003c/tt\u003e and \u003ctt\u003efull_info_string\u003c/tt\u003e render options unset, or avoid configuring an inline syntax-highlight formatter, so that \u003ctt\u003ehighlight_lines\u003c/tt\u003e specifications are never parsed.\u003c/p\u003e"
            }
          ],
          "value": "Do not enable code-block decorators: leave the github_pre_lang and full_info_string render options unset, or avoid configuring an inline syntax-highlight formatter, so that highlight_lines specifications are never parsed."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-53428",
    "datePublished": "2026-06-29T18:52:36.199Z",
    "dateReserved": "2026-06-09T11:01:47.529Z",
    "dateUpdated": "2026-06-30T04:38:36.755Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53427 (GCVE-0-2026-53427)

Vulnerability from cvelistv5 – Published: 2026-06-29 18:50 – Updated: 2026-06-30 04:37
VLAI?
Title
Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown. When syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML. An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required. The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched. This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
EEF
Impacted products
Vendor Product Version
leandrocp mdex Affected: 0.11.3 , < 0.12.3 (semver)
    cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Create a notification for this product.
    leandrocp mdex Affected: 0d7ffc84ea742e1daf666426814e5bb6d0499433 , < 6ed94d905f97af188323f042698ae841c02293b4 (git)
    cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Create a notification for this product.
    leandrocp mdex_native Affected: 0.1.0 , < 0.2.3 (semver)
    cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*
Create a notification for this product.
    leandrocp mdex_native Affected: 956528c5e31746253347029e810a969ab916fd27 , < 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3 (git)
    cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Leandro Pereira Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53427",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T19:18:13.166991Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T19:19:28.028Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDEx\u0027",
            "comrak_nif"
          ],
          "packageName": "mdex",
          "packageURL": "pkg:hex/mdex",
          "product": "mdex",
          "programFiles": [
            "native/comrak_nif/src/lumis_adapter.rs"
          ],
          "programRoutines": [
            {
              "name": "comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
            },
            {
              "name": "comrak_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
            },
            {
              "name": "comrak_nif::lumis_adapter::LumisAdapter::write_highlighted"
            },
            {
              "name": "\u0027Elixir.MDEx\u0027:to_html/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "0.12.3",
              "status": "affected",
              "version": "0.11.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDEx\u0027",
            "comrak_nif"
          ],
          "packageName": "leandrocp/mdex",
          "packageURL": "pkg:github/leandrocp/mdex",
          "product": "mdex",
          "programFiles": [
            "native/comrak_nif/src/lumis_adapter.rs"
          ],
          "programRoutines": [
            {
              "name": "comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
            },
            {
              "name": "comrak_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
            },
            {
              "name": "comrak_nif::lumis_adapter::LumisAdapter::write_highlighted"
            },
            {
              "name": "\u0027Elixir.MDEx\u0027:to_html/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
              "status": "affected",
              "version": "0d7ffc84ea742e1daf666426814e5bb6d0499433",
              "versionType": "git"
            }
          ]
        },
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDExNative.Comrak\u0027",
            "mdex_native_nif"
          ],
          "packageName": "mdex_native",
          "packageURL": "pkg:hex/mdex_native",
          "product": "mdex_native",
          "programFiles": [
            "native/mdex_native_nif/src/lumis_adapter.rs"
          ],
          "programRoutines": [
            {
              "name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
            },
            {
              "name": "mdex_native_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
            },
            {
              "name": "mdex_native_nif::lumis_adapter::LumisAdapter::write_highlighted"
            },
            {
              "name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
            },
            {
              "name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex_native",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "0.2.3",
              "status": "affected",
              "version": "0.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.MDExNative.Comrak\u0027",
            "mdex_native_nif"
          ],
          "packageName": "leandrocp/mdex_native",
          "packageURL": "pkg:github/leandrocp/mdex_native",
          "product": "mdex_native",
          "programFiles": [
            "native/mdex_native_nif/src/lumis_adapter.rs"
          ],
          "programRoutines": [
            {
              "name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
            },
            {
              "name": "mdex_native_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
            },
            {
              "name": "mdex_native_nif::lumis_adapter::LumisAdapter::write_highlighted"
            },
            {
              "name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
            },
            {
              "name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
            }
          ],
          "repo": "https://github.com/leandrocp/mdex_native",
          "vendor": "leandrocp",
          "versions": [
            {
              "lessThan": "798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3",
              "status": "affected",
              "version": "956528c5e31746253347029e810a969ab916fd27",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example \u003ctt\u003esyntax_highlight: [formatter: {:html_inline, ...}]\u003c/tt\u003e or \u003ctt\u003e{:html_linked, ...}\u003c/tt\u003e) and with full info-string forwarding enabled (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e). Full info-string forwarding is required for comrak to hand the \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled.\u003c/p\u003e"
            }
          ],
          "value": "The vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example syntax_highlight: [formatter: {:html_inline, ...}] or {:html_linked, ...}) and with full info-string forwarding enabled (render: [full_info_string: true]). Full info-string forwarding is required for comrak to hand the highlight_lines_class attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.12.3",
                  "versionStartIncluding": "0.11.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.2.3",
                  "versionStartIncluding": "0.1.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Leandro Pereira"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\u003c/p\u003e\u003cp\u003eWhen syntax highlighting and full info-string forwarding (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e) are enabled, the Lumis adapter copies the value of a code fence\u0027s \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e info-string attribute, unescaped, into the \u003ctt\u003eclass\u003c/tt\u003e attribute of every rendered line. \u003ctt\u003ecomrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes\u003c/tt\u003e in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e shlex-parses the info string and stores each \u003ctt\u003ekey=value\u003c/tt\u003e pair verbatim, \u003ctt\u003ehighlight_lines_config\u003c/tt\u003e pulls \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e into the per-line class value, and \u003ctt\u003ewrite_highlighted\u003c/tt\u003e interpolates that value directly into the \u003ctt\u003eclass\u003c/tt\u003e attribute of the per-line \u003ctt\u003e\u0026lt;div\u0026gt;\u003c/tt\u003e. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as \u003ctt\u003e\u0027\u0026quot;\u0026gt;\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\u0027\u003c/tt\u003e terminates the \u003ctt\u003eclass\u003c/tt\u003e attribute early and the markup that follows is emitted as live HTML.\u003c/p\u003e\u003cp\u003eAn attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/lumis_adapter.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\n\nWhen syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence\u0027s highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line \u003cdiv\u003e. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as \u0027\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u0027 terminates the class attribute early and the markup that follows is emitted as live HTML.\n\nAn attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T04:37:51.902Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-v664-pmxr-mxxx"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-53427.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-53427"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDo not enable full info-string forwarding (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e) when rendering untrusted Markdown, which prevents the \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e attribute from reaching the highlighter. Alternatively, restrict \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e values to a safe character set (for example \u003ctt\u003e[A-Za-z0-9_- ]\u003c/tt\u003e) before rendering.\u003c/p\u003e"
            }
          ],
          "value": "Do not enable full info-string forwarding (render: [full_info_string: true]) when rendering untrusted Markdown, which prevents the highlight_lines_class attribute from reaching the highlighter. Alternatively, restrict highlight_lines_class values to a safe character set (for example [A-Za-z0-9_- ]) before rendering."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-53427",
    "datePublished": "2026-06-29T18:50:17.185Z",
    "dateReserved": "2026-06-09T11:01:47.529Z",
    "dateUpdated": "2026-06-30T04:37:51.902Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-55736 (GCVE-0-2026-55736)

Vulnerability from cvelistv5 – Published: 2026-06-23 18:21 – Updated: 2026-06-23 18:21
VLAI?
Title
Private action arguments can be set by user input in Ash
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete. In the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary. An attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation. This issue affects ash: from 3.0.0 before 3.29.3.
CWE
  • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
EEF
Impacted products
Vendor Product Version
ash-project ash Affected: 3.0.0 , < 3.29.3 (semver)
    cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
Create a notification for this product.
    ash-project ash Affected: 5967ed3a483ab949866e6d7b043b043e61703f17 , < d9b3100219b3ea86d73202bf7368c03a7688efea (git)
    cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Alfred Vié Zach Daniel Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Ash.Changeset\u0027"
          ],
          "packageName": "ash",
          "packageURL": "pkg:hex/ash",
          "product": "ash",
          "programFiles": [
            "lib/ash/changeset/changeset.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:cast_params/4"
            },
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:get_action_argument/2"
            },
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:atomic_params/4"
            },
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:has_argument?/2"
            }
          ],
          "repo": "https://github.com/ash-project/ash",
          "vendor": "ash-project",
          "versions": [
            {
              "lessThan": "3.29.3",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Ash.Changeset\u0027"
          ],
          "packageName": "ash-project/ash",
          "packageURL": "pkg:github/ash-project/ash",
          "product": "ash",
          "programFiles": [
            "lib/ash/changeset/changeset.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:cast_params/4"
            },
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:get_action_argument/2"
            },
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:atomic_params/4"
            },
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:has_argument?/2"
            }
          ],
          "repo": "https://github.com/ash-project/ash",
          "vendor": "ash-project",
          "versions": [
            {
              "lessThan": "d9b3100219b3ea86d73202bf7368c03a7688efea",
              "status": "affected",
              "version": "5967ed3a483ab949866e6d7b043b043e61703f17",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn action must declare a private argument (one defined with \u003ctt\u003epublic?: false\u003c/tt\u003e) whose value is meant to be set only by trusted server-side code, and the application must build the changeset from untrusted user-supplied parameters, passing them straight into \u003ctt\u003eAsh.Changeset.for_create/3\u003c/tt\u003e, \u003ctt\u003efor_update/3\u003c/tt\u003e, \u003ctt\u003efor_destroy/3\u003c/tt\u003e, or into an atomic or bulk update.\u003c/p\u003e"
            }
          ],
          "value": "An action must declare a private argument (one defined with public?: false) whose value is meant to be set only by trusted server-side code, and the application must build the changeset from untrusted user-supplied parameters, passing them straight into Ash.Changeset.for_create/3, for_update/3, for_destroy/3, or into an atomic or bulk update."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.29.3",
                  "versionStartIncluding": "3.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Alfred Vi\u00e9"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Zach Daniel"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code.\u003cp\u003eAction arguments declared with \u003ctt\u003epublic?: false\u003c/tt\u003e are meant to be set internally (for example via \u003ctt\u003eAsh.Changeset.set_private_argument/3\u003c/tt\u003e) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete.\u003c/p\u003e\u003cp\u003eIn the regular changeset path (\u003ctt\u003efor_create\u003c/tt\u003e, \u003ctt\u003efor_update\u003c/tt\u003e, \u003ctt\u003efor_destroy\u003c/tt\u003e), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (\u003ctt\u003eAsh.Changeset.fully_atomic_changeset/4\u003c/tt\u003e, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary.\u003c/p\u003e\u003cp\u003eAn attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an \u003ctt\u003eacting_user_id\u003c/tt\u003e driving authorization or record ownership), this can lead to an integrity violation or privilege escalation.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from 3.0.0 before 3.29.3.\u003c/p\u003e"
            }
          ],
          "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code.\n\nAction arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete.\n\nIn the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary.\n\nAn attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation.\n\nThis issue affects ash: from 3.0.0 before 3.29.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-77",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-77 Manipulating User-Controlled Variables"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T18:21:13.033Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/ash-project/ash/security/advisories/GHSA-f4hc-ppw9-4hhw"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-55736.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-55736"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/ash-project/ash/commit/d9b3100219b3ea86d73202bf7368c03a7688efea"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Private action arguments can be set by user input in Ash",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-55736",
    "datePublished": "2026-06-23T18:21:13.033Z",
    "dateReserved": "2026-06-17T10:44:34.365Z",
    "dateUpdated": "2026-06-23T18:21:13.033Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54892 (GCVE-0-2026-54892)

Vulnerability from cvelistv5 – Published: 2026-06-23 12:31 – Updated: 2026-06-23 18:21
VLAI?
Title
Plug: quadratic-time decoding of nested query/body parameters enables denial of service
Summary
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels. With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required. This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
CWE
  • CWE-407 - Inefficient Algorithmic Complexity
Assigner
EEF
Impacted products
Vendor Product Version
elixir-plug plug Affected: 1.15.0 , < 1.15.5 (semver)
Affected: 1.16.0 , < 1.16.4 (semver)
Affected: 1.17.0 , < 1.17.2 (semver)
Affected: 1.18.0 , < 1.18.3 (semver)
Affected: 1.19.0 , < 1.19.3 (semver)
    cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
Create a notification for this product.
    elixir-plug plug Affected: 712b875d3442c765d8d37e546ffd5ad9f8afcc55 , < * (git)
    cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Braidon Whatley José Valim Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54892",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T13:03:58.893269Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T13:04:27.014Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Plug.Conn.Query\u0027"
          ],
          "packageName": "plug",
          "packageURL": "pkg:hex/plug",
          "product": "plug",
          "programFiles": [
            "lib/plug/conn/query.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode/4"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2"
            }
          ],
          "repo": "https://github.com/elixir-plug/plug",
          "vendor": "elixir-plug",
          "versions": [
            {
              "lessThan": "1.15.5",
              "status": "affected",
              "version": "1.15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.16.4",
              "status": "affected",
              "version": "1.16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.17.2",
              "status": "affected",
              "version": "1.17.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.18.3",
              "status": "affected",
              "version": "1.18.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.19.3",
              "status": "affected",
              "version": "1.19.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Plug.Conn.Query\u0027"
          ],
          "packageName": "elixir-plug/plug",
          "packageURL": "pkg:github/elixir-plug/plug",
          "product": "plug",
          "programFiles": [
            "lib/plug/conn/query.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode/4"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2"
            }
          ],
          "repo": "https://github.com/elixir-plug/plug",
          "vendor": "elixir-plug",
          "versions": [
            {
              "changes": [
                {
                  "at": "c317d08fdcf96e17931f7419275b2b8c4bf3e951",
                  "status": "unaffected"
                },
                {
                  "at": "9c5d37c440eaae92869eed7c014c47266744fadb",
                  "status": "unaffected"
                },
                {
                  "at": "d737eb236f17e31a36290e39f9ef3cd86a1343bd",
                  "status": "unaffected"
                },
                {
                  "at": "d4e5568392a4b29e545b91e12e87d6098f976145",
                  "status": "unaffected"
                },
                {
                  "at": "a61124aa625d819a218fb07f90afbac8aa85eb0e",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "712b875d3442c765d8d37e546ffd5ad9f8afcc55",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.15.5",
                  "versionStartIncluding": "1.15.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.16.4",
                  "versionStartIncluding": "1.16.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.17.2",
                  "versionStartIncluding": "1.17.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.18.3",
                  "versionStartIncluding": "1.18.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.19.3",
                  "versionStartIncluding": "1.19.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Braidon Whatley"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jos\u00e9 Valim"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eInefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. \u003ctt\u003ePlug.Conn.Query.decode/4\u003c/tt\u003e (and \u003ctt\u003ePlug.Conn.Query.decode_each/2\u003c/tt\u003e) parse query strings and \u003ctt\u003eapplication/x-www-form-urlencoded\u003c/tt\u003e request bodies. When a key contains many bracketed segments such as \u003ctt\u003ea[a][a][a]=1\u003c/tt\u003e, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\u003c/p\u003e\u003cp\u003eWith the default \u003ctt\u003ePlug.Parsers.URLENCODED\u003c/tt\u003e body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/plug/conn/query.ex\u003c/tt\u003e and program routines \u003ctt\u003ePlug.Conn.Query.decode/4\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.decode_each/2\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.split_keys/6\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.insert_keys/3\u003c/tt\u003e, and \u003ctt\u003ePlug.Conn.Query.finalize_pointer/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.\u003c/p\u003e"
            }
          ],
          "value": "Inefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\n\nWith the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\n\nThis vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.\n\nThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-229",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-229 Serialized Data Parameter Blowup"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-407",
              "description": "CWE-407 Inefficient Algorithmic Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T18:21:14.232Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-54892.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-54892"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Plug: quadratic-time decoding of nested query/body parameters enables denial of service",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-54892",
    "datePublished": "2026-06-23T12:31:12.629Z",
    "dateReserved": "2026-06-16T10:47:13.915Z",
    "dateUpdated": "2026-06-23T18:21:14.232Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48591 (GCVE-0-2026-48591)

Vulnerability from cvelistv5 – Published: 2026-06-17 16:42 – Updated: 2026-06-18 04:45
VLAI?
Title
Stored XSS via unescaped HTML attribute values in earmark
Summary
Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values. 'Elixir.Earmark.Transform':_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal " bytes: [" ", name, "=\"", value, "\""]. Text nodes are routed through the existing escape function which encodes " as &quot;, but attribute values never visit that path. A markdown link whose URL or title contains a bare " closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, [click](http://example.com/?a=x" onerror="alert(1)) renders as <a href="http://example.com/?a=x" onerror="alert(1)">click</a>, executing arbitrary JavaScript in the victim's browser. The earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx. This issue affects earmark from 1.4.1 onward.
CWE
  • CWE-83 - Improper Neutralization of Script in Attributes in a Web Page
Assigner
EEF
Impacted products
Vendor Product Version
pragdave earmark Affected: 1.4.1 , < * (semver)
    cpe:2.3:a:pragdave:earmark:*:*:*:*:*:*:*:*
Create a notification for this product.
    pragdave earmark Affected: 8236a0570bd894b50e360da08131ec3294c20799 , < * (git)
    cpe:2.3:a:pragdave:earmark:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Robert Dober Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48591",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-17T18:25:40.841347Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-17T18:25:55.606Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:pragdave:earmark:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Earmark.Transform\u0027"
          ],
          "packageName": "earmark",
          "packageURL": "pkg:hex/earmark",
          "product": "earmark",
          "programFiles": [
            "lib/earmark/transform.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Earmark.Transform\u0027:_make_att1/2"
            }
          ],
          "repo": "https://github.com/pragdave/earmark",
          "vendor": "pragdave",
          "versions": [
            {
              "lessThan": "*",
              "status": "affected",
              "version": "1.4.1",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:pragdave:earmark:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Earmark.Transform\u0027"
          ],
          "packageName": "pragdave/earmark",
          "packageURL": "pkg:github/pragdave/earmark",
          "product": "earmark",
          "programFiles": [
            "lib/earmark/transform.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Earmark.Transform\u0027:_make_att1/2"
            }
          ],
          "repo": "https://github.com/pragdave/earmark",
          "vendor": "pragdave",
          "versions": [
            {
              "lessThan": "*",
              "status": "affected",
              "version": "8236a0570bd894b50e360da08131ec3294c20799",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:pragdave:earmark:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "1.4.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Robert Dober"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.Earmark.Transform\u0027:_make_att1/2\u003c/tt\u003e in \u003ctt\u003elib/earmark/transform.ex\u003c/tt\u003e splices attribute values verbatim between two literal \u003ctt\u003e\"\u003c/tt\u003e bytes: \u003ctt\u003e[\" \", name, \"=\\\"\" , value, \"\\\"\"]\u003c/tt\u003e. Text nodes are routed through the existing escape function which encodes \u003ctt\u003e\"\u003c/tt\u003e as \u003ctt\u003e\u0026amp;quot;\u003c/tt\u003e, but attribute values never visit that path. A markdown link whose URL or title contains a bare \u003ctt\u003e\"\u003c/tt\u003e closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, \u003ctt\u003e[click](http://example.com/?a=x\" onerror=\"alert(1))\u003c/tt\u003e renders as \u003ctt\u003e\u0026lt;a href=\"http://example.com/?a=x\" onerror=\"alert(1)\"\u0026gt;click\u0026lt;/a\u0026gt;\u003c/tt\u003e, executing arbitrary JavaScript in the victim\u0027s browser.\u003c/p\u003e\u003cp\u003eThe earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx.\u003c/p\u003e\u003cp\u003eThis issue affects earmark from 1.4.1 onward.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values.\n\n\u0027Elixir.Earmark.Transform\u0027:_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal \" bytes: [\" \", name, \"=\\\"\", value, \"\\\"\"]. Text nodes are routed through the existing escape function which encodes \" as \u0026quot;, but attribute values never visit that path. A markdown link whose URL or title contains a bare \" closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, [click](http://example.com/?a=x\" onerror=\"alert(1)) renders as \u003ca href=\"http://example.com/?a=x\" onerror=\"alert(1)\"\u003eclick\u003c/a\u003e, executing arbitrary JavaScript in the victim\u0027s browser.\n\nThe earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx.\n\nThis issue affects earmark from 1.4.1 onward."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-243",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-243 XSS Targeting HTML Attributes"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-83",
              "description": "CWE-83 Improper Neutralization of Script in Attributes in a Web Page",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-18T04:45:59.864Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "related",
            "third-party-advisory"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-48591.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48591"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Stored XSS via unescaped HTML attribute values in earmark",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMigrate to a maintained Markdown library such as \u003ca href=\"https://hex.pm/packages/mdex\"\u003eMDEx\u003c/a\u003e. The earmark package has been retired on Hex and no patched release will be made.\u003c/p\u003e"
            }
          ],
          "value": "Migrate to a maintained Markdown library such as MDEx (https://hex.pm/packages/mdex). The earmark package has been retired on Hex and no patched release will be made."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-48591",
    "datePublished": "2026-06-17T16:42:37.508Z",
    "dateReserved": "2026-05-22T09:36:56.834Z",
    "dateUpdated": "2026-06-18T04:45:59.864Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48853 (GCVE-0-2026-48853)

Vulnerability from cvelistv5 – Published: 2026-06-15 21:56 – Updated: 2026-06-17 04:47
VLAI?
Title
Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc
Summary
Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server. 'Elixir.GRPC.Codec.Erlpack':decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type guard. Any unauthenticated peer that sends a request with Content-Type: application/grpc+erlpack can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process. This issue affects grpc from 0.4.0 before 1.0.0.
CWE
  • CWE-502 - Deserialization of Untrusted Data
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
EEF
Impacted products
Vendor Product Version
elixir-grpc grpc Affected: 0.4.0 , < 1.0.0 (semver)
    cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*
Create a notification for this product.
    elixir-grpc grpc Affected: 25bcc569fe2cc4478531a6c546c923205fc751c9 , < 272a97a5ea1b46af1819f14a831fcf35fc91f992 (git)
    cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Paulo Valente Jonatan Männchen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48853",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-16T14:44:19.175606Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-16T14:45:02.196Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-grp7-v8xh-rj7h"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.GRPC.Codec.Erlpack\u0027"
          ],
          "packageName": "grpc",
          "packageURL": "pkg:hex/grpc",
          "product": "grpc",
          "programFiles": [
            "lib/grpc/codec/erlpack.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.GRPC.Codec.Erlpack\u0027:decode/2"
            }
          ],
          "repo": "https://github.com/elixir-grpc/grpc",
          "vendor": "elixir-grpc",
          "versions": [
            {
              "lessThan": "1.0.0",
              "status": "affected",
              "version": "0.4.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.GRPC.Codec.Erlpack\u0027"
          ],
          "packageName": "elixir-grpc/grpc",
          "packageURL": "pkg:github/elixir-grpc/grpc",
          "product": "grpc",
          "programFiles": [
            "lib/grpc/codec/erlpack.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.GRPC.Codec.Erlpack\u0027:decode/2"
            }
          ],
          "repo": "https://github.com/elixir-grpc/grpc",
          "vendor": "elixir-grpc",
          "versions": [
            {
              "lessThan": "272a97a5ea1b46af1819f14a831fcf35fc91f992",
              "status": "affected",
              "version": "25bcc569fe2cc4478531a6c546c923205fc751c9",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ctt\u003eGRPC.Codec.Erlpack\u003c/tt\u003e must be explicitly registered as a codec on the gRPC server."
            }
          ],
          "value": "GRPC.Codec.Erlpack must be explicitly registered as a codec on the gRPC server."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.0.0",
                  "versionStartIncluding": "0.4.0",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Paulo Valente"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDeserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.GRPC.Codec.Erlpack\u0027:decode/2\u003c/tt\u003e (\u003ctt\u003elib/grpc/codec/erlpack.ex\u003c/tt\u003e) calls \u003ctt\u003e:erlang.binary_to_term/1\u003c/tt\u003e on the raw gRPC message body without the \u003ctt\u003e:safe\u003c/tt\u003e option, no size bound, and no type guard. Any unauthenticated peer that sends a request with \u003ctt\u003eContent-Type: application/grpc+erlpack\u003c/tt\u003e can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process.\u003c/p\u003e\u003cp\u003eThis issue affects grpc from 0.4.0 before 1.0.0.\u003c/p\u003e"
            }
          ],
          "value": "Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server.\n\n\u0027Elixir.GRPC.Codec.Erlpack\u0027:decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type guard. Any unauthenticated peer that sends a request with Content-Type: application/grpc+erlpack can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process.\n\nThis issue affects grpc from 0.4.0 before 1.0.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-586",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-586 Object Injection"
            }
          ]
        },
        {
          "capecId": "CAPEC-231",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-231 Oversized Serialized Data Payloads"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T04:47:30.147Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-grp7-v8xh-rj7h"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-48853.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48853"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/elixir-grpc/grpc/commit/272a97a5ea1b46af1819f14a831fcf35fc91f992"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-48853",
    "datePublished": "2026-06-15T21:56:15.262Z",
    "dateReserved": "2026-05-25T20:44:10.696Z",
    "dateUpdated": "2026-06-17T04:47:30.147Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53430 (GCVE-0-2026-53430)

Vulnerability from cvelistv5 – Published: 2026-06-15 21:55 – Updated: 2026-06-17 04:46
VLAI?
Title
grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1
Summary
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines 'Elixir.GRPC.Compressor.Gzip':decompress/1, 'Elixir.GRPC.Message':from_data/2. 'Elixir.GRPC.Compressor.Gzip':decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill. This issue affects grpc: from 0.4.0 before 1.0.0.
CWE
  • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Assigner
EEF
Impacted products
Vendor Product Version
elixir-grpc grpc Affected: 0.4.0 , < 1.0.0 (semver)
    cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*
Create a notification for this product.
    elixir-grpc grpc Affected: beae6800fc8baf126f3fe7107d86a50e105275ba , < 1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc (git)
    cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Paulo Valente
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53430",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-16T14:42:39.467618Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-16T14:43:11.143Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-6ccx-9c9f-327w"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://hex.pm",
          "cpes": [
            "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.GRPC.Compressor.Gzip\u0027",
            "\u0027Elixir.GRPC.Message\u0027"
          ],
          "packageName": "grpc",
          "packageURL": "pkg:hex/grpc",
          "product": "grpc",
          "programFiles": [
            "lib/grpc/compressor/gzip.ex",
            "lib/grpc/message.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.GRPC.Compressor.Gzip\u0027:decompress/1"
            },
            {
              "name": "\u0027Elixir.GRPC.Message\u0027:from_data/2"
            }
          ],
          "repo": "https://github.com/elixir-grpc/grpc",
          "vendor": "elixir-grpc",
          "versions": [
            {
              "lessThan": "1.0.0",
              "status": "affected",
              "version": "0.4.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.GRPC.Compressor.Gzip\u0027",
            "\u0027Elixir.GRPC.Message\u0027"
          ],
          "packageName": "elixir-grpc/grpc",
          "packageURL": "pkg:github/elixir-grpc/grpc",
          "product": "grpc",
          "programFiles": [
            "lib/grpc/compressor/gzip.ex",
            "lib/grpc/message.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.GRPC.Compressor.Gzip\u0027:decompress/1"
            },
            {
              "name": "\u0027Elixir.GRPC.Message\u0027:from_data/2"
            }
          ],
          "repo": "https://github.com/elixir-grpc/grpc",
          "vendor": "elixir-grpc",
          "versions": [
            {
              "lessThan": "1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc",
              "status": "affected",
              "version": "beae6800fc8baf126f3fe7107d86a50e105275ba",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.0.0",
                  "versionStartIncluding": "0.4.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Paulo Valente"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (\u003ctt\u003eGRPC.Compressor.Gzip\u003c/tt\u003e, \u003ctt\u003eGRPC.Message\u003c/tt\u003e modules) allows a denial of service via a gzip decompression bomb.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/grpc/compressor/gzip.ex\u003c/tt\u003e, \u003ctt\u003elib/grpc/message.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.GRPC.Compressor.Gzip\u0027:decompress/1\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.GRPC.Message\u0027:from_data/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.GRPC.Compressor.Gzip\u0027:decompress/1\u003c/tt\u003e calls \u003ctt\u003e:zlib.gunzip/1\u003c/tt\u003e directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip \u003ctt\u003eGRPC.Compressor\u003c/tt\u003e implementation, it is invoked automatically whenever an incoming gRPC frame carries the \u003ctt\u003egrpc-encoding: gzip\u003c/tt\u003e header. \u003ctt\u003e:zlib.gunzip/1\u003c/tt\u003e allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The \u003ctt\u003emax_receive_message_length\u003c/tt\u003e limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node\u0027s heap and trigger an out-of-memory kill.\u003c/p\u003e\u003cp\u003eThis issue affects grpc: from 0.4.0 before 1.0.0.\u003c/p\u003e"
            }
          ],
          "value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb.\n\nThis vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines \u0027Elixir.GRPC.Compressor.Gzip\u0027:decompress/1, \u0027Elixir.GRPC.Message\u0027:from_data/2.\n\n\u0027Elixir.GRPC.Compressor.Gzip\u0027:decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node\u0027s heap and trigger an out-of-memory kill.\n\nThis issue affects grpc: from 0.4.0 before 1.0.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-409",
              "description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T04:46:39.180Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-6ccx-9c9f-327w"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-53430.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-53430"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/elixir-grpc/grpc/commit/1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-53430",
    "datePublished": "2026-06-15T21:55:33.707Z",
    "dateReserved": "2026-06-09T11:01:47.529Z",
    "dateUpdated": "2026-06-17T04:46:39.180Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48599 (GCVE-0-2026-48599)

Vulnerability from cvelistv5 – Published: 2026-06-15 21:55 – Updated: 2026-06-17 04:46
VLAI?
Title
Authorization bypass via path binding override in elixir-grpc/grpc HTTP transcoding
Summary
Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In 'Elixir.GRPC.Server.Transcode':map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profile?user_id=victim (or a POST with {"user_id": "victim"} when body: "*") yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed. This issue affects grpc from 0.8.0 before 1.0.0.
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
EEF
Impacted products
Vendor Product Version
elixir-grpc grpc Affected: 0.8.0 , < 1.0.0 (semver)
    cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*
Create a notification for this product.
    elixir-grpc grpc Affected: 8aaf3d3a8c4c7b08ac65e9c6f254e0d24da1d048 , < 33b6a095dbc91c6dee3c7b90893d7d74952e82e4 (git)
    cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Paulo Valente Jonatan Männchen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48599",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-16T14:45:46.288762Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-16T14:46:09.673Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-mwr4-5g34-j5cq"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.GRPC.Server.Transcode\u0027"
          ],
          "packageName": "grpc",
          "packageURL": "pkg:hex/grpc",
          "product": "grpc",
          "programFiles": [
            "lib/grpc/server/transcode.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.GRPC.Server.Transcode\u0027:map_request/5"
            }
          ],
          "repo": "https://github.com/elixir-grpc/grpc",
          "vendor": "elixir-grpc",
          "versions": [
            {
              "lessThan": "1.0.0",
              "status": "affected",
              "version": "0.8.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.GRPC.Server.Transcode\u0027"
          ],
          "packageName": "elixir-grpc/grpc",
          "packageURL": "pkg:github/elixir-grpc/grpc",
          "product": "grpc",
          "programFiles": [
            "lib/grpc/server/transcode.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.GRPC.Server.Transcode\u0027:map_request/5"
            }
          ],
          "repo": "https://github.com/elixir-grpc/grpc",
          "vendor": "elixir-grpc",
          "versions": [
            {
              "lessThan": "33b6a095dbc91c6dee3c7b90893d7d74952e82e4",
              "status": "affected",
              "version": "8aaf3d3a8c4c7b08ac65e9c6f254e0d24da1d048",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "HTTP-to-gRPC transcoding must be enabled."
            }
          ],
          "value": "HTTP-to-gRPC transcoding must be enabled."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.0.0",
                  "versionStartIncluding": "0.8.0",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Paulo Valente"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAuthorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body.\u003c/p\u003e\u003cp\u003eIn \u003ctt\u003e\u0027Elixir.GRPC.Server.Transcode\u0027:map_request/5\u003c/tt\u003e (\u003ctt\u003elib/grpc/server/transcode.ex\u003c/tt\u003e), all three clauses use \u003ctt\u003eMap.merge/2\u003c/tt\u003e with path bindings as the first argument, giving them the lowest merge precedence. A request such as \u003ctt\u003eGET /users/me/profile?user_id=victim\u003c/tt\u003e (or a POST with \u003ctt\u003e{\"user_id\": \"victim\"}\u003c/tt\u003e when \u003ctt\u003ebody: \"*\"\u003c/tt\u003e) yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed.\u003c/p\u003e\u003cp\u003eThis issue affects grpc from 0.8.0 before 1.0.0.\u003c/p\u003e"
            }
          ],
          "value": "Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body.\n\nIn \u0027Elixir.GRPC.Server.Transcode\u0027:map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profile?user_id=victim (or a POST with {\"user_id\": \"victim\"} when body: \"*\") yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed.\n\nThis issue affects grpc from 0.8.0 before 1.0.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-460",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-460 HTTP Parameter Pollution (HPP)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T04:46:32.876Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-mwr4-5g34-j5cq"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-48599.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48599"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/elixir-grpc/grpc/commit/33b6a095dbc91c6dee3c7b90893d7d74952e82e4"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Authorization bypass via path binding override in elixir-grpc/grpc HTTP transcoding",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-48599",
    "datePublished": "2026-06-15T21:55:28.702Z",
    "dateReserved": "2026-05-22T09:36:56.834Z",
    "dateUpdated": "2026-06-17T04:46:32.876Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48854 (GCVE-0-2026-48854)

Vulnerability from cvelistv5 – Published: 2026-06-15 21:55 – Updated: 2026-06-17 04:46
VLAI?
Title
Unbounded request body accumulation causes memory exhaustion in elixir-grpc/grpc
Summary
Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node. This issue affects grpc from 0.3.1 before 1.0.0.
CWE
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
EEF
Impacted products
Vendor Product Version
elixir-grpc grpc Affected: 0.3.1 , < 1.0.0 (semver)
    cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*
Create a notification for this product.
    elixir-grpc grpc Affected: d1abe70a6cad6dac4a3f8235d883d7c896989560 , < 49e18c3ec6bb9afe2f712caad3dbab5c56a68a00 (git)
    cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Paulo Valente Jonatan Männchen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48854",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-16T14:47:02.881535Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-16T14:47:28.479Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-q8gf-9rvj-gmgj"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.GRPC.Server.Adapters.Cowboy.Handler\u0027"
          ],
          "packageName": "grpc",
          "packageURL": "pkg:hex/grpc",
          "product": "grpc",
          "programFiles": [
            "lib/grpc/server/adapters/cowboy/handler.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.GRPC.Server.Adapters.Cowboy.Handler\u0027:read_full_body/3"
            }
          ],
          "repo": "https://github.com/elixir-grpc/grpc",
          "vendor": "elixir-grpc",
          "versions": [
            {
              "lessThan": "1.0.0",
              "status": "affected",
              "version": "0.3.1",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.GRPC.Server.Adapters.Cowboy.Handler\u0027"
          ],
          "packageName": "elixir-grpc/grpc",
          "packageURL": "pkg:github/elixir-grpc/grpc",
          "product": "grpc",
          "programFiles": [
            "lib/grpc/server/adapters/cowboy/handler.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.GRPC.Server.Adapters.Cowboy.Handler\u0027:read_full_body/3"
            }
          ],
          "repo": "https://github.com/elixir-grpc/grpc",
          "vendor": "elixir-grpc",
          "versions": [
            {
              "lessThan": "49e18c3ec6bb9afe2f712caad3dbab5c56a68a00",
              "status": "affected",
              "version": "d1abe70a6cad6dac4a3f8235d883d7c896989560",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.0.0",
                  "versionStartIncluding": "0.3.1",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Paulo Valente"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM\u0027s memory and crash the server by streaming a large or slow-trickle unary request body.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.GRPC.Server.Adapters.Cowboy.Handler\u0027:read_full_body/3\u003c/tt\u003e (\u003ctt\u003elib/grpc/server/adapters/cowboy/handler.ex\u003c/tt\u003e) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the \u003ctt\u003egrpc-timeout\u003c/tt\u003e header, the per-chunk read timeout resolves to \u003ctt\u003e:infinity\u003c/tt\u003e, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node.\u003c/p\u003e\u003cp\u003eThis issue affects grpc from 0.3.1 before 1.0.0.\u003c/p\u003e"
            }
          ],
          "value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM\u0027s memory and crash the server by streaming a large or slow-trickle unary request body.\n\n\u0027Elixir.GRPC.Server.Adapters.Cowboy.Handler\u0027:read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node.\n\nThis issue affects grpc from 0.3.1 before 1.0.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        },
        {
          "capecId": "CAPEC-231",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-231 Oversized Serialized Data Payloads"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T04:46:27.584Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-q8gf-9rvj-gmgj"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-48854.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48854"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/elixir-grpc/grpc/commit/49e18c3ec6bb9afe2f712caad3dbab5c56a68a00"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Unbounded request body accumulation causes memory exhaustion in elixir-grpc/grpc",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-48854",
    "datePublished": "2026-06-15T21:55:23.629Z",
    "dateReserved": "2026-05-25T20:44:10.697Z",
    "dateUpdated": "2026-06-17T04:46:27.584Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-49757 (GCVE-0-2026-49757)

Vulnerability from cvelistv5 – Published: 2026-06-15 10:07 – Updated: 2026-06-15 14:14
VLAI?
Title
OAuth2/OIDC account takeover in AshAuthentication via email-based user matching
Summary
Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers. A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges. The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?). This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.
CWE
  • CWE-290 - Authentication Bypass by Spoofing
Assigner
EEF
Impacted products
Vendor Product Version
team-alembic ash_authentication Affected: 0.1.0 , < 4.14.0 (semver)
Affected: 5.0.0-rc.0 , < 5.0.0-rc.10 (semver)
    cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*
Create a notification for this product.
    team-alembic ash_authentication Affected: c5f589058e04239263f50a1430eb17ea6d5dd1a2 , < * (git)
    cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Jarl André Hübenthal James Harton Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-49757",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T12:35:13.009558Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T12:35:41.459Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027",
            "\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027"
          ],
          "packageName": "ash_authentication",
          "packageURL": "pkg:hex/ash_authentication",
          "product": "ash_authentication",
          "programFiles": [
            "lib/ash_authentication/strategies/oauth2/identity_change.ex",
            "lib/ash_authentication/strategies/oauth2/sign_in_preparation.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027:change/3"
            },
            {
              "name": "\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027:prepare/3"
            }
          ],
          "repo": "https://github.com/team-alembic/ash_authentication",
          "vendor": "team-alembic",
          "versions": [
            {
              "lessThan": "4.14.0",
              "status": "affected",
              "version": "0.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.0.0-rc.10",
              "status": "affected",
              "version": "5.0.0-rc.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027",
            "\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027"
          ],
          "packageName": "team-alembic/ash_authentication",
          "packageURL": "pkg:github/team-alembic/ash_authentication",
          "product": "ash_authentication",
          "programFiles": [
            "lib/ash_authentication/strategies/oauth2/identity_change.ex",
            "lib/ash_authentication/strategies/oauth2/sign_in_preparation.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027:change/3"
            },
            {
              "name": "\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027:prepare/3"
            }
          ],
          "repo": "https://github.com/team-alembic/ash_authentication.git",
          "vendor": "team-alembic",
          "versions": [
            {
              "changes": [
                {
                  "at": "728b8d28c1b5f465fa1116ef044a815300fc733d",
                  "status": "unaffected"
                },
                {
                  "at": "64530644f9b37ebb76ca14aeb83a77597a0034b7",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "c5f589058e04239263f50a1430eb17ea6d5dd1a2",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.0",
                  "versionStartIncluding": "0.1.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.0.0-rc.10",
                  "versionStartIncluding": "5.0.0-rc.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jarl Andr\u00e9 H\u00fcbenthal"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "James Harton"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.\u003cp\u003eAshAuthentication\u0027s OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect \u003ctt\u003eiss\u003c/tt\u003e/\u003ctt\u003esub\u003c/tt\u003e claim combination. Per OpenID Connect Core \u00a75.7, only \u003ctt\u003eiss\u003c/tt\u003e/\u003ctt\u003esub\u003c/tt\u003e uniquely and stably identifies an end-user; other claims, including \u003ctt\u003eemail\u003c/tt\u003e, MUST NOT be used as unique identifiers.\u003c/p\u003e\u003cp\u003eA provider login presenting a victim\u0027s email, including an unverified email, a reused email, or an account with \u003ctt\u003eemail_verified: false\u003c/tt\u003e, resolved to and signed in as the victim\u0027s existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim\u0027s email (or who benefits from provider-side email reuse or reclamation) obtains the victim\u0027s full local privileges.\u003c/p\u003e\u003cp\u003eThe fix resolves users by the \u003ctt\u003e(strategy, sub)\u003c/tt\u003e identity stored in a user identity resource, and only links a new \u003ctt\u003esub\u003c/tt\u003e to an existing local account by email when the provider\u0027s \u003ctt\u003eemail_verified\u003c/tt\u003e claim is trusted (\u003ctt\u003etrust_email_verified?\u003c/tt\u003e).\u003c/p\u003e\u003cp\u003eThis issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.\u003c/p\u003e"
            }
          ],
          "value": "Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.\n\nAshAuthentication\u0027s OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core \u00a75.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers.\n\nA provider login presenting a victim\u0027s email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim\u0027s existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim\u0027s email (or who benefits from provider-side email reuse or reclamation) obtains the victim\u0027s full local privileges.\n\nThe fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider\u0027s email_verified claim is trusted (trust_email_verified?).\n\nThis issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-21",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-21 Exploitation of Trusted Identifiers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290 Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T14:14:37.882Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-777c-2fxx-qr28"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-49757.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-49757"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/team-alembic/ash_authentication/commit/728b8d28c1b5f465fa1116ef044a815300fc733d"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/team-alembic/ash_authentication/commit/64530644f9b37ebb76ca14aeb83a77597a0034b7"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "OAuth2/OIDC account takeover in AshAuthentication via email-based user matching",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-49757",
    "datePublished": "2026-06-15T10:07:17.781Z",
    "dateReserved": "2026-06-01T13:45:22.449Z",
    "dateUpdated": "2026-06-15T14:14:37.882Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53423 (GCVE-0-2026-53423)

Vulnerability from cvelistv5 – Published: 2026-06-11 10:44 – Updated: 2026-06-12 04:45
VLAI?
Title
Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin
Summary
Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion. The MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it. This issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7.
CWE
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
EEF
Impacted products
Vendor Product Version
membraneframework membrane_mp4_plugin Affected: 0.3.0 , < 0.36.7 (semver)
    cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:*
Create a notification for this product.
    membraneframework membrane_mp4_plugin Affected: ae4bf04c393aa1562f3df3d33e20bc5cb8130de2 , < 56373d1ddc86968e55fbde795c14eeba24357b57 (git)
    cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Łukasz Kita Łukasz Kita Mateusz Front Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53423",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-11T12:09:51.183359Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T12:11:18.865Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/membraneframework/membrane_mp4_plugin/security/advisories/GHSA-43hj-fxwj-49qw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "Elixir.Membrane.MP4.Container.Header"
          ],
          "packageName": "membrane_mp4_plugin",
          "packageURL": "pkg:hex/membrane_mp4_plugin",
          "product": "membrane_mp4_plugin",
          "programFiles": [
            "lib/membrane_mp4/container/header.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse/1"
            },
            {
              "name": "\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse_box_name/1"
            }
          ],
          "repo": "https://github.com/membraneframework/membrane_mp4_plugin",
          "vendor": "membraneframework",
          "versions": [
            {
              "lessThan": "0.36.7",
              "status": "affected",
              "version": "0.3.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "Elixir.Membrane.MP4.Container.Header"
          ],
          "packageName": "membraneframework/membrane_mp4_plugin",
          "packageURL": "pkg:github/membraneframework/membrane_mp4_plugin",
          "product": "membrane_mp4_plugin",
          "programFiles": [
            "lib/membrane_mp4/container/header.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse/1"
            },
            {
              "name": "\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse_box_name/1"
            }
          ],
          "repo": "https://github.com/membraneframework/membrane_mp4_plugin",
          "vendor": "membraneframework",
          "versions": [
            {
              "lessThan": "56373d1ddc86968e55fbde795c14eeba24357b57",
              "status": "affected",
              "version": "ae4bf04c393aa1562f3df3d33e20bc5cb8130de2",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.36.7",
                  "versionStartIncluding": "0.3.0",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "\u0141ukasz Kita"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "\u0141ukasz Kita"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Mateusz Front"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion.\u003c/p\u003e\u003cp\u003eThe MP4 box header parser converts each 4-byte box name to an atom using \u003ctt\u003eString.to_atom/1\u003c/tt\u003e without validation. \u003ctt\u003e\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse_box_name/1\u003c/tt\u003e in \u003ctt\u003elib/membrane_mp4/container/header.ex\u003c/tt\u003e interns every box name encountered while \u003ctt\u003e\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse/1\u003c/tt\u003e walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it.\u003c/p\u003e\u003cp\u003eThis issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7.\u003c/p\u003e"
            }
          ],
          "value": "Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion.\n\nThe MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. \u0027Elixir.Membrane.MP4.Container.Header\u0027:parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while \u0027Elixir.Membrane.MP4.Container.Header\u0027:parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it.\n\nThis issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-12T04:45:33.275Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/membraneframework/membrane_mp4_plugin/security/advisories/GHSA-43hj-fxwj-49qw"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-53423.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-53423"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/membraneframework/membrane_mp4_plugin/commit/56373d1ddc86968e55fbde795c14eeba24357b57"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-53423",
    "datePublished": "2026-06-11T10:44:51.528Z",
    "dateReserved": "2026-06-09T11:01:47.529Z",
    "dateUpdated": "2026-06-12T04:45:33.275Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48856 (GCVE-0-2026-48856)

Vulnerability from cvelistv5 – Published: 2026-06-10 14:41 – Updated: 2026-06-11 04:45
VLAI?
Title
httpc leaks Authorization header to cross-origin redirect targets
Summary
Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
CWE
  • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 5.10 , < * (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
Affected: 84adefa331c4159d432d22840663c38f155cd4c1 , < 688d748d6f7a6a06b13b662a1d3de8af97079612 (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Jonatan Männchen / EEF Jonatan Männchen / EEF Ingela Anderton Andin Konrad Pietrzak
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48856",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T16:23:52.053802Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T16:24:02.066Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "httpc_response"
          ],
          "packageName": "inets",
          "packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/http_client/httpc_response.erl"
          ],
          "programRoutines": [
            {
              "name": "httpc_response:redirect/2"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "9.7.1",
                  "status": "unaffected"
                },
                {
                  "at": "9.6.2.2",
                  "status": "unaffected"
                },
                {
                  "at": "9.3.2.6",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "5.10",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "httpc_response"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/inets/src/http_client/httpc_response.erl"
          ],
          "programRoutines": [
            {
              "name": "httpc_response:redirect/2"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "29.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.13",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "17.0",
              "versionType": "otp"
            },
            {
              "lessThan": "688d748d6f7a6a06b13b662a1d3de8af97079612",
              "status": "affected",
              "version": "84adefa331c4159d432d22840663c38f155cd4c1",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.2",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.2",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jonatan M\u00e4nnchen / EEF"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jonatan M\u00e4nnchen / EEF"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Ingela Anderton Andin"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Konrad Pietrzak"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Sensitive Data Exposure vulnerability in Erlang OTP inets (\u003ctt\u003ehttpc_response\u003c/tt\u003e module) allows Retrieve Embedded Sensitive Data.\u003cp\u003eThe \u003ctt\u003ehttpc\u003c/tt\u003e client forwards the \u003ctt\u003eAuthorization\u003c/tt\u003e and \u003ctt\u003eProxy-Authorization\u003c/tt\u003e request headers to redirect targets without checking whether the redirect crosses an origin boundary. \u003ctt\u003ehttpc_response:redirect/2\u003c/tt\u003e constructs the redirected request by updating only the \u003ctt\u003ehost\u003c/tt\u003e field of the header record; all other fields (including \u003ctt\u003eauthorization\u003c/tt\u003e and \u003ctt\u003eproxy_authorization\u003c/tt\u003e) are copied verbatim. The redirect target host is never compared against the original host.\u003c/p\u003e\u003cp\u003e\u003ctt\u003eautoredirect\u003c/tt\u003e defaults to \u003ctt\u003etrue\u003c/tt\u003e, so this affects all \u003ctt\u003ehttpc\u003c/tt\u003e callers that do not explicitly disable automatic redirects.\u003c/p\u003e\u003cp\u003eAn attacker who controls a server that the victim contacts via \u003ctt\u003ehttpc\u003c/tt\u003e can issue a cross-origin 3xx redirect to a server they also control. The \u003ctt\u003eAuthorization\u003c/tt\u003e header (including Basic credentials derived from URL userinfo via \u003ctt\u003ehttpc_request:handle_user_info/2\u003c/tt\u003e) is forwarded to the redirect target, allowing credential theft. The same applies to the \u003ctt\u003eProxy-Authorization\u003c/tt\u003e header.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_client/httpc_response.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.\u003c/p\u003e"
            }
          ],
          "value": "Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.\n\nThe httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.\n\nautoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.\n\nAn attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.\n\nThis vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.\n\nThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-11T04:45:35.836Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-48856.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48856"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/688d748d6f7a6a06b13b662a1d3de8af97079612"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "httpc leaks Authorization header to cross-origin redirect targets",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cul\u003e\u003cli\u003eSet \u003ctt\u003e{autoredirect, false}\u003c/tt\u003e in the \u003ctt\u003ehttpc:request/4\u003c/tt\u003e options and handle redirects manually, stripping the \u003ctt\u003eAuthorization\u003c/tt\u003e header when the redirect crosses an origin boundary.\u003c/li\u003e\u003cli\u003eEnsure that \u003ctt\u003ehttpc\u003c/tt\u003e is only used to contact trusted servers that will not issue cross-origin redirects.\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "* Set {autoredirect, false} in the httpc:request/4 options and handle redirects manually, stripping the Authorization header when the redirect crosses an origin boundary.\n* Ensure that httpc is only used to contact trusted servers that will not issue cross-origin redirects."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-48856",
    "datePublished": "2026-06-10T14:41:51.616Z",
    "dateReserved": "2026-05-25T20:44:10.697Z",
    "dateUpdated": "2026-06-11T04:45:35.836Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48860 (GCVE-0-2026-48860)

Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI?
Title
Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist
Summary
Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist. The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3. This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl. This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.
CWE
  • CWE-1025 - Comparison Using Wrong Factors
  • CWE-863 - Incorrect Authorization
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 11.0 , < * (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
    Erlang OTP Affected: 26.0 , < * (otp)
Affected: 7a08c5507862a7011568506d0c17b1fdef30bee4 , < 0209a6df65d605552b378273027b3968b35f26b4 (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Lukas Backström Ingela Anderton Andin Raimo Niskanen Jakub Witczak
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48860",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T16:23:08.922807Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T16:23:31.951Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "inet_tls_dist"
          ],
          "packageName": "ssl",
          "packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/inet_tls_dist.erl"
          ],
          "programRoutines": [
            {
              "name": "inet_tls_dist:check_ip/1"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.7.2",
                  "status": "unaffected"
                },
                {
                  "at": "11.6.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "11.2.12.9",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "11.0",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "inet_tls_dist"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/ssl/src/inet_tls_dist.erl"
          ],
          "programRoutines": [
            {
              "name": "inet_tls_dist:check_ip/1"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "29.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.13",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "26.0",
              "versionType": "otp"
            },
            {
              "lessThan": "0209a6df65d605552b378273027b3968b35f26b4",
              "status": "affected",
              "version": "7a08c5507862a7011568506d0c17b1fdef30bee4",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The Erlang distribution must be configured to use TLS (\u003ctt\u003einet_tls_dist\u003c/tt\u003e) with the \u003ctt\u003echeck_ip\u003c/tt\u003e option enabled. The default Erlang distribution configuration does not use TLS and is not affected."
            }
          ],
          "value": "The Erlang distribution must be configured to use TLS (inet_tls_dist) with the check_ip option enabled. The default Erlang distribution configuration does not use TLS and is not affected."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.13",
                  "versionStartIncluding": "26.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.2",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.2",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lukas Backstr\u00f6m"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ingela Anderton Andin"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Raimo Niskanen"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Jakub Witczak"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eReliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003einet_tls_dist:check_ip/1\u003c/tt\u003e function, which enforces a LAN allowlist for Erlang distribution over TLS, calls \u003ctt\u003einet:sockname/1\u003c/tt\u003e instead of \u003ctt\u003einet:peername/1\u003c/tt\u003e to obtain the peer\u0027s IP address. Because \u003ctt\u003einet:sockname/1\u003c/tt\u003e returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including \u003ctt\u003erpc:call/4\u003c/tt\u003e and \u003ctt\u003ecode:load_binary/3\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssl/src/inet_tls_dist.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.\u003c/p\u003e"
            }
          ],
          "value": "Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist.\n\nThe inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer\u0027s IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3.\n\nThis vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl.\n\nThis issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        },
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "ADJACENT",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1025",
              "description": "CWE-1025 Comparison Using Wrong Factors",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-11T04:45:42.753Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-gp7x-mfv6-52cv"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-48860.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48860"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/0209a6df65d605552b378273027b3968b35f26b4"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Implement a custom \u003ctt\u003everify_fun\u003c/tt\u003e SSL option that correctly checks the peer IP address using \u003ctt\u003einet:peername/1\u003c/tt\u003e on the socket."
            }
          ],
          "value": "Implement a custom verify_fun SSL option that correctly checks the peer IP address using inet:peername/1 on the socket."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-48860",
    "datePublished": "2026-06-10T14:35:49.987Z",
    "dateReserved": "2026-05-25T20:44:10.697Z",
    "dateUpdated": "2026-06-11T04:45:42.753Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48855 (GCVE-0-2026-48855)

Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI?
Title
SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery. The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /. The information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 3.0.1 , < * (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
Affected: 08225797f7ef943d0c82a1d9dd6650d94ca2580d , < 8f4224a0d2676b0653d2c71a889a956e8c2c62d6 (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Jonatan Männchen / EEF Jonatan Männchen / EEF Michał Wąsowski Jakub Witczak
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48855",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T16:22:16.684743Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T16:22:24.746Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "ssh_sftpd"
          ],
          "packageName": "ssh",
          "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/ssh_sftpd.erl"
          ],
          "programRoutines": [
            {
              "name": "ssh_sftpd:handle_op/4"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "6.0.1",
                  "status": "unaffected"
                },
                {
                  "at": "5.5.2.1",
                  "status": "unaffected"
                },
                {
                  "at": "5.2.11.8",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "3.0.1",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "ssh_sftpd"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/ssh/src/ssh_sftpd.erl"
          ],
          "programRoutines": [
            {
              "name": "ssh_sftpd:handle_op/4"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "29.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.13",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "17.0",
              "versionType": "otp"
            },
            {
              "lessThan": "8f4224a0d2676b0653d2c71a889a956e8c2c62d6",
              "status": "affected",
              "version": "08225797f7ef943d0c82a1d9dd6650d94ca2580d",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The SFTP subsystem must be enabled on the SSH server and the \u003ctt\u003eroot\u003c/tt\u003e option must be configured in the \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e call. Deployments without the \u003ctt\u003eroot\u003c/tt\u003e option are not affected."
            }
          ],
          "value": "The SFTP subsystem must be enabled on the SSH server and the root option must be configured in the ssh_sftpd:subsystem_spec/1 call. Deployments without the root option are not affected."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.2",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.2",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jonatan M\u00e4nnchen / EEF"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jonatan M\u00e4nnchen / EEF"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Micha\u0142 W\u0105sowski"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Jakub Witczak"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows File Discovery.\u003cp\u003eThe \u003ctt\u003eSSH_FXP_READLINK\u003c/tt\u003e handler in \u003ctt\u003essh_sftpd\u003c/tt\u003e sends the raw result of \u003ctt\u003efile:read_link/2\u003c/tt\u003e to the client without calling \u003ctt\u003echroot_filename/2\u003c/tt\u003e to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to \u003ctt\u003e/\u003c/tt\u003e; \u003ctt\u003essh_sftpd\u003c/tt\u003e resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via \u003ctt\u003eSSH_FXP_READLINK\u003c/tt\u003e returns that absolute path, for example \u003ctt\u003e/data/sftp\u003c/tt\u003e, instead of the chrooted value \u003ctt\u003e/\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.\u003c/p\u003e"
            }
          ],
          "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery.\n\nThe SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /.\n\nThe information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-116",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-116 Excavation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-11T04:45:29.864Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-pv7g-pjrq-x2fh"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-48855.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48855"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/8f4224a0d2676b0653d2c71a889a956e8c2c62d6"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level \u003ctt\u003eroot\u003c/tt\u003e option.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive information (usernames, project names, mount topology) is inferrable from the absolute path of the configured root directory.\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "* Use OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level root option.\n* Ensure that the SFTP server port is not reachable from untrusted machines.\n* Ensure that no sensitive information (usernames, project names, mount topology) is inferrable from the absolute path of the configured root directory."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-48855",
    "datePublished": "2026-06-10T14:35:49.683Z",
    "dateReserved": "2026-05-25T20:44:10.697Z",
    "dateUpdated": "2026-06-11T04:45:29.864Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48858 (GCVE-0-2026-48858)

Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI?
Title
ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks
Summary
Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address. The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts. The vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer. The ftp application is deprecated and scheduled for removal in OTP-30. This vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later). This issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 5.10.4 , < 7.0 (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
    Erlang OTP Affected: 1.0 , < * (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
    Erlang OTP Affected: 17.4 , < * (otp)
Affected: be95772ee1fcfe71045ef070130bea7a910b81e3 , < * (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Jonatan Männchen / EEF Jonatan Männchen / EEF Ingela Anderton Andin
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48858",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T16:20:57.662713Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T16:21:08.893Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "ftp_internal"
          ],
          "packageName": "inets",
          "packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/ftp/ftp_internal.erl"
          ],
          "programRoutines": [
            {
              "name": "ftp_internal:handle_ctrl_result/2"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "lessThan": "7.0",
              "status": "affected",
              "version": "5.10.4",
              "versionType": "otp"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "ftp_internal"
          ],
          "packageName": "ftp",
          "packageURL": "pkg:otp/ftp?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/ftp_internal.erl"
          ],
          "programRoutines": [
            {
              "name": "ftp_internal:handle_ctrl_result/2"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.2.6",
                  "status": "unaffected"
                },
                {
                  "at": "1.2.4.1",
                  "status": "unaffected"
                },
                {
                  "at": "1.2.3.1",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "1.0",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "ftp_internal"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/inets/src/ftp/ftp_internal.erl",
            "lib/ftp/src/ftp_internal.erl"
          ],
          "programRoutines": [
            {
              "name": "ftp_internal:handle_ctrl_result/2"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "29.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "27.3.4.13",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "17.4",
              "versionType": "otp"
            },
            {
              "changes": [
                {
                  "at": "2691a806231ffd0490a8a9e20500dec0c7e73727",
                  "status": "unaffected"
                },
                {
                  "at": "521bcfa24407ee8cb5614823cf905c37ea3aa605",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "be95772ee1fcfe71045ef070130bea7a910b81e3",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vulnerable path is active under the default configuration: \u003ctt\u003emode=passive\u003c/tt\u003e, \u003ctt\u003eipfamily=inet\u003c/tt\u003e, and \u003ctt\u003eftp_extension=false\u003c/tt\u003e are all defaults for \u003ctt\u003eftp:open/2\u003c/tt\u003e."
            }
          ],
          "value": "The vulnerable path is active under the default configuration: mode=passive, ipfamily=inet, and ftp_extension=false are all defaults for ftp:open/2."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.13",
                  "versionStartIncluding": "17.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.2",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.2",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jonatan M\u00e4nnchen / EEF"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jonatan M\u00e4nnchen / EEF"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Ingela Anderton Andin"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eServer-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eftp_internal:handle_ctrl_result/2\u003c/tt\u003e PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server\u0027s 227 response and passes it directly to \u003ctt\u003egen_tcp:connect/4\u003c/tt\u003e without validating it against the control connection peer address. The adjacent EPSV handlers correctly call \u003ctt\u003epeername(CSock)\u003c/tt\u003e to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client\u0027s data connection to an arbitrary internal host and port. On read operations (\u003ctt\u003eftp:ls/1,2\u003c/tt\u003e, \u003ctt\u003eftp:nlist/1,2\u003c/tt\u003e, \u003ctt\u003eftp:recv/2,3\u003c/tt\u003e), data from the redirected target is returned to the caller. On write operations (\u003ctt\u003eftp:send/2,3\u003c/tt\u003e, \u003ctt\u003eftp:append/2,3\u003c/tt\u003e), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.\u003c/p\u003e\u003cp\u003eThe vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eftp\u003c/tt\u003e application is deprecated and scheduled for removal in OTP-30.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/ftp/ftp_internal.erl\u003c/tt\u003e (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and \u003ctt\u003elib/ftp/src/ftp_internal.erl\u003c/tt\u003e (ftp 1.0 and later, OTP 21.0 and later).\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1.\u003c/p\u003e"
            }
          ],
          "value": "Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address.\n\nThe ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server\u0027s 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client\u0027s data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts.\n\nThe vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer.\n\nThe ftp application is deprecated and scheduled for removal in OTP-30.\n\nThis vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later).\n\nThis issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-664",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-664 Server Side Request Forgery"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-11T04:45:36.460Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-24cv-hwgr-37fq"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-48858.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48858"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/2691a806231ffd0490a8a9e20500dec0c7e73727"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/521bcfa24407ee8cb5614823cf905c37ea3aa605"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Pass \u003ctt\u003e{ftp_extension, true}\u003c/tt\u003e to \u003ctt\u003eftp:open/2\u003c/tt\u003e to use EPSV instead of PASV. Alternatively, pass \u003ctt\u003e{mode, active}\u003c/tt\u003e to use active mode, or pass \u003ctt\u003e{ipfamily, inet6}\u003c/tt\u003e to force IPv6, both of which bypass the vulnerable PASV path."
            }
          ],
          "value": "Pass {ftp_extension, true} to ftp:open/2 to use EPSV instead of PASV. Alternatively, pass {mode, active} to use active mode, or pass {ipfamily, inet6} to force IPv6, both of which bypass the vulnerable PASV path."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-48858",
    "datePublished": "2026-06-10T14:35:45.466Z",
    "dateReserved": "2026-05-25T20:44:10.697Z",
    "dateUpdated": "2026-06-11T04:45:36.460Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48859 (GCVE-0-2026-48859)

Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI?
Title
SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration
Summary
Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication. When the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames. The user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability. This vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl. This issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.
CWE
  • CWE-208 - Observable Timing Discrepancy
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 6.0 , < 6.0.1 (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
    Erlang OTP Affected: 29.0 , < 29.0.2 (otp)
Affected: 032d1bc9491a3975c68faf9bc7776115d6ae3005 , < c342092ef4b369bb409d5b71ac8fd83bab74aedf (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Zhang Delong Jakub Witczak Ingela Anderton Andin Michał Wąsowski
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48859",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T16:19:16.914933Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T16:19:43.145Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "ssh_auth",
            "ssh_options"
          ],
          "packageName": "ssh",
          "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/ssh_auth.erl",
            "src/ssh_options.erl"
          ],
          "programRoutines": [
            {
              "name": "ssh_auth:check_password/3"
            },
            {
              "name": "ssh_options:get_password_option/2"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "lessThan": "6.0.1",
              "status": "affected",
              "version": "6.0",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "ssh_auth",
            "ssh_options"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/ssh/src/ssh_auth.erl",
            "lib/ssh/src/ssh_options.erl"
          ],
          "programRoutines": [
            {
              "name": "ssh_auth:check_password/3"
            },
            {
              "name": "ssh_options:get_password_option/2"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "lessThan": "29.0.2",
              "status": "affected",
              "version": "29.0",
              "versionType": "otp"
            },
            {
              "lessThan": "c342092ef4b369bb409d5b71ac8fd83bab74aedf",
              "status": "affected",
              "version": "032d1bc9491a3975c68faf9bc7776115d6ae3005",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The SSH daemon must be configured with the \u003ctt\u003euser_passwords\u003c/tt\u003e or \u003ctt\u003epassword\u003c/tt\u003e option for password authentication. Systems using the \u003ctt\u003epwdfun\u003c/tt\u003e option instead are not affected."
            }
          ],
          "value": "The SSH daemon must be configured with the user_passwords or password option for password authentication. Systems using the pwdfun option instead are not affected."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.2",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Zhang Delong"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jakub Witczak"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Ingela Anderton Andin"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Micha\u0142 W\u0105sowski"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eObservable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication.\u003c/p\u003e\u003cp\u003eWhen the SSH daemon is configured with the \u003ctt\u003euser_passwords\u003c/tt\u003e or \u003ctt\u003epassword\u003c/tt\u003e option, \u003ctt\u003essh_auth:check_password/3\u003c/tt\u003e performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the \u003ctt\u003essh_options:get_password_option/2\u003c/tt\u003e path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003euser_passwords\u003c/tt\u003e and \u003ctt\u003epassword\u003c/tt\u003e options are documented as intended for test purposes; the recommended alternative is \u003ctt\u003epwdfun\u003c/tt\u003e, which is not affected by this vulnerability.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_auth.erl\u003c/tt\u003e and \u003ctt\u003elib/ssh/src/ssh_options.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.\u003c/p\u003e"
            }
          ],
          "value": "Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication.\n\nWhen the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames.\n\nThe user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl.\n\nThis issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-116",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-116 Excavation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208 Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-11T04:45:32.938Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-3w6p-vwhf-wvp4"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-48859.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48859"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/c342092ef4b369bb409d5b71ac8fd83bab74aedf"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use the \u003ctt\u003epwdfun\u003c/tt\u003e option instead of \u003ctt\u003euser_passwords\u003c/tt\u003e for password authentication. The \u003ctt\u003epwdfun\u003c/tt\u003e callback gives full control over timing behavior and is not affected by this vulnerability. Implementations should take care to execute in approximately constant time regardless of username validity."
            }
          ],
          "value": "Use the pwdfun option instead of user_passwords for password authentication. The pwdfun callback gives full control over timing behavior and is not affected by this vulnerability. Implementations should take care to execute in approximately constant time regardless of username validity."
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Restrict SSH port access to trusted networks only via firewall rules, reducing the set of potential attackers who can perform timing measurements."
            }
          ],
          "value": "Restrict SSH port access to trusted networks only via firewall rules, reducing the set of potential attackers who can perform timing measurements."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-48859",
    "datePublished": "2026-06-10T14:35:43.553Z",
    "dateReserved": "2026-05-25T20:44:10.697Z",
    "dateUpdated": "2026-06-11T04:45:32.938Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-49759 (GCVE-0-2026-49759)

Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-07-01 04:45
VLAI?
Title
Stack buffer overflow in SCTP error cause parsing in inet_drv allows remote VM crash
Summary
Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk. The sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service. A crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited. This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2.
CWE
  • CWE-121 - Stack-based Buffer Overflow
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 6.0 , < * (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
Affected: 84adefa331c4159d432d22840663c38f155cd4c1 , < 3983d495284331c121f600a80bac9fcf4e16381e (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Zhang Delong Raimo Niskanen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-49759",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T16:18:27.945916Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T16:18:43.800Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:openstack:16.2"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat OpenStack Platform 16.2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openstack:17.1"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat OpenStack Platform 17.1",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openstack:18.0"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat OpenStack Platform 18.0",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-06-10T14:35:38.838Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Erlang OTP (Open Telecom Platform) erts, specifically within the `inet_drv` component. An unauthenticated remote attacker can exploit a stack-based buffer overflow vulnerability by sending a specially crafted Stream Control Transmission Protocol (SCTP) ERROR chunk. This can lead to a Denial of Service (DoS) by crashing the BEAM virtual machine. Additionally, this flaw may result in limited information disclosure by leaking small portions of Erlang VM memory."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.2,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-120",
                "description": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:09:55.439Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-49759"
          },
          {
            "name": "RHBZ#2487607",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487607"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49759.json"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-10T16:01:51.030Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-10T14:35:38.838Z",
            "value": "Made public."
          }
        ],
        "title": "erlang: Erlang OTP: Denial of Service via crafted SCTP ERROR chunk",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "inet_drv"
          ],
          "packageName": "erts",
          "packageURL": "pkg:otp/erts?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "emulator/drivers/common/inet_drv.c"
          ],
          "programRoutines": [
            {
              "name": "sctp_parse_error_chunk"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "15.2.7.9",
                  "status": "unaffected"
                },
                {
                  "at": "16.4.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "17.0.2",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "6.0",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "inet_drv"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "erts/emulator/drivers/common/inet_drv.c"
          ],
          "programRoutines": [
            {
              "name": "sctp_parse_error_chunk"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "27.3.4.13",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "29.0.2",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "17.0",
              "versionType": "otp"
            },
            {
              "lessThan": "3983d495284331c121f600a80bac9fcf4e16381e",
              "status": "affected",
              "version": "84adefa331c4159d432d22840663c38f155cd4c1",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "SCTP support must be compiled into OTP. A listening SCTP socket must be opened via \u003ctt\u003egen_sctp\u003c/tt\u003e with the default \u003ctt\u003einet\u003c/tt\u003e backend and must be reachable from the attacker\u0027s network. Windows builds are unaffected as SCTP is not supported on Windows."
            }
          ],
          "value": "SCTP support must be compiled into OTP. A listening SCTP socket must be opened via gen_sctp with the default inet backend and must be reachable from the attacker\u0027s network. Windows builds are unaffected as SCTP is not supported on Windows."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.13",
                  "versionStartIncluding": "17.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.2",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.2",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Zhang Delong"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Raimo Niskanen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Stack-based Buffer Overflow vulnerability in Erlang OTP \u003ctt\u003eerts\u003c/tt\u003e (\u003ctt\u003einet_drv\u003c/tt\u003e) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk.\u003cp\u003eThe \u003ctt\u003esctp_parse_error_chunk\u003c/tt\u003e function in \u003ctt\u003eerts/emulator/drivers/common/inet_drv.c\u003c/tt\u003e parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated \u003ctt\u003eErlDrvTermData spec[]\u003c/tt\u003e array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service.\u003c/p\u003e\u003cp\u003eA crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2.\u003c/p\u003e"
            }
          ],
          "value": "Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk.\n\nThe sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service.\n\nA crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited.\n\nThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T04:45:31.080Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-6f4f-chj5-5g97"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-49759.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-49759"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/3983d495284331c121f600a80bac9fcf4e16381e"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Stack buffer overflow in SCTP error cause parsing in inet_drv allows remote VM crash",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-49759",
    "datePublished": "2026-06-10T14:35:38.838Z",
    "dateReserved": "2026-06-01T13:45:22.449Z",
    "dateUpdated": "2026-07-01T04:45:31.080Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-49760 (GCVE-0-2026-49760)

Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI?
Title
Stack Buffer Overflow in ei_s_print_term at Very Large Integer
Summary
Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow. This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term. The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service. The companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug. This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.
CWE
  • CWE-121 - Stack-based Buffer Overflow
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 3.7.16 , < * (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
    Erlang OTP Affected: 17.0 , < * (otp)
Affected: 84adefa331c4159d432d22840663c38f155cd4c1 , < 0bef277b2d39dc8babb9ceb4f5d0a456f3007111 (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Jonatan Männchen / EEF Sverker Eriksson
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-49760",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T16:16:14.697009Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T16:16:28.366Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "erl_interface"
          ],
          "packageName": "erl_interface",
          "packageURL": "pkg:otp/erl_interface?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/misc/ei_printterm.c"
          ],
          "programRoutines": [
            {
              "name": "ei_s_print_term"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "5.5.2.1",
                  "status": "unaffected"
                },
                {
                  "at": "5.7.0.1",
                  "status": "unaffected"
                },
                {
                  "at": "5.8.1",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "3.7.16",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "erl_interface"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/erl_interface/src/misc/ei_printterm.c"
          ],
          "programRoutines": [
            {
              "name": "ei_s_print_term"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "changes": [
                {
                  "at": "27.3.4.13",
                  "status": "unaffected"
                },
                {
                  "at": "28.5.0.2",
                  "status": "unaffected"
                },
                {
                  "at": "29.0.2",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "17.0",
              "versionType": "otp"
            },
            {
              "lessThan": "0bef277b2d39dc8babb9ceb4f5d0a456f3007111",
              "status": "affected",
              "version": "84adefa331c4159d432d22840663c38f155cd4c1",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "27.3.4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "28.5.0.2",
                  "versionStartIncluding": "28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.2",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jonatan M\u00e4nnchen / EEF"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Sverker Eriksson"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eStack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/erl_interface/src/misc/ei_printterm.c\u003c/tt\u003e and program routine \u003ctt\u003eei_s_print_term\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe C function \u003ctt\u003eei_s_print_term\u003c/tt\u003e uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of \u003ctt\u003e0\u003c/tt\u003e-\u003ctt\u003e9\u003c/tt\u003e and \u003ctt\u003eA\u003c/tt\u003e-\u003ctt\u003eF\u003c/tt\u003e, which limits exploitation to Denial of Service.\u003c/p\u003e\u003cp\u003eThe companion function \u003ctt\u003eei_print_term\u003c/tt\u003e, which prints directly to a \u003ctt\u003eFILE\u003c/tt\u003e instead of a memory buffer, does not contain this bug.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.\u003c/p\u003e"
            }
          ],
          "value": "Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow.\n\nThis vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term.\n\nThe C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service.\n\nThe companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug.\n\nThis issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-8",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-8 Buffer Overflow in an API Call"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-11T04:45:57.427Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-xcxj-5pg2-v72j"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-49760.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-49760"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Stack Buffer Overflow in ei_s_print_term at Very Large Integer",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Avoid calling \u003ctt\u003eei_s_print_term\u003c/tt\u003e with untrusted data whose encoded integer representation could exceed 2000 characters."
            }
          ],
          "value": "Avoid calling ei_s_print_term with untrusted data whose encoded integer representation could exceed 2000 characters."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-49760",
    "datePublished": "2026-06-10T14:35:36.804Z",
    "dateReserved": "2026-06-01T13:45:22.449Z",
    "dateUpdated": "2026-06-11T04:45:57.427Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-49762 (GCVE-0-2026-49762)

Vulnerability from cvelistv5 – Published: 2026-06-09 14:04 – Updated: 2026-06-10 04:43
VLAI?
Title
Unbounded integer parsing in the Version module enables CPU and memory exhaustion denial of service
Summary
Uncontrolled Resource Consumption vulnerability in the Elixir standard library's Version module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion. The version parser converts numeric version components (major, minor, patch and numeric pre-release/build identifiers) to integers without bounding their length. A single large all-digit component therefore forces a super-linear, non-yielding base-10 to arbitrary-precision integer conversion (String.to_integer/1, i.e. :erlang.binary_to_integer/1) that pins a BEAM scheduler, and a larger component raises an uncaught SystemLimitError that crashes the calling process. A single moderately sized string (around one megabyte) is enough; no authentication is required. This is reachable from the public entry points Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, which applications routinely call on untrusted input such as HTTP parameters, dependency-manifest fields, and package metadata. This vulnerability is associated with program files lib/version.ex and program routines 'Elixir.Version.Parser':parse_digits/2. This issue affects Elixir: from 1.5.0 before 1.20.1.
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
EEF
Impacted products
Vendor Product Version
elixir-lang elixir Affected: 1.5.0 , < 1.20.1 (semver)
    cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*
Create a notification for this product.
    elixir-lang elixir Affected: 63e186aea94395897dc4964d82d250130c01ec25 , < c64417d72fd5c7d09e963ca3ac5fa2b140978d9e (git)
    cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich José Valim Eric Meadows-Jönsson Jonatan Männchen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-49762",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T14:48:56.343391Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T14:49:07.338Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Version\u0027",
            "\u0027Elixir.Version.Parser\u0027"
          ],
          "packageName": "elixir-lang/elixir",
          "packageURL": "pkg:otp/elixir?repository_url=https:%2F%2Fgithub.com%2Felixir-lang%2Felixir\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Felixir-lang%2Felixir.git",
          "product": "elixir",
          "programFiles": [
            "lib/version.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Version\u0027:parse/1"
            },
            {
              "name": "\u0027Elixir.Version\u0027:parse!/1"
            },
            {
              "name": "\u0027Elixir.Version\u0027:match?/3"
            },
            {
              "name": "\u0027Elixir.Version\u0027:compare/2"
            },
            {
              "name": "\u0027Elixir.Version\u0027:parse_requirement/1"
            },
            {
              "name": "\u0027Elixir.Version.Parser\u0027:parse_version/2"
            },
            {
              "name": "\u0027Elixir.Version.Parser\u0027:parse_digits/2"
            },
            {
              "name": "\u0027Elixir.Version.Parser\u0027:require_digits/1"
            },
            {
              "name": "\u0027Elixir.Version.Parser\u0027:convert_parts_to_integer/2"
            }
          ],
          "repo": "https://github.com/elixir-lang/elixir",
          "vendor": "elixir-lang",
          "versions": [
            {
              "lessThan": "1.20.1",
              "status": "affected",
              "version": "1.5.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Version\u0027",
            "\u0027Elixir.Version.Parser\u0027"
          ],
          "packageName": "elixir-lang/elixir",
          "packageURL": "pkg:github/elixir-lang/elixir",
          "product": "elixir",
          "programFiles": [
            "lib/elixir/lib/version.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Version\u0027:parse/1"
            },
            {
              "name": "\u0027Elixir.Version\u0027:parse!/1"
            },
            {
              "name": "\u0027Elixir.Version\u0027:match?/3"
            },
            {
              "name": "\u0027Elixir.Version\u0027:compare/2"
            },
            {
              "name": "\u0027Elixir.Version\u0027:parse_requirement/1"
            },
            {
              "name": "\u0027Elixir.Version.Parser\u0027:parse_version/2"
            },
            {
              "name": "\u0027Elixir.Version.Parser\u0027:parse_digits/2"
            },
            {
              "name": "\u0027Elixir.Version.Parser\u0027:require_digits/1"
            },
            {
              "name": "\u0027Elixir.Version.Parser\u0027:convert_parts_to_integer/2"
            }
          ],
          "repo": "https://github.com/elixir-lang/elixir.git",
          "vendor": "elixir-lang",
          "versions": [
            {
              "lessThan": "c64417d72fd5c7d09e963ca3ac5fa2b140978d9e",
              "status": "affected",
              "version": "63e186aea94395897dc4964d82d250130c01ec25",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.20.1",
                  "versionStartIncluding": "1.5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jos\u00e9 Valim"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Eric Meadows-J\u00f6nsson"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUncontrolled Resource Consumption vulnerability in the Elixir standard library\u0027s \u003ctt\u003eVersion\u003c/tt\u003e module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion.\u003c/p\u003e\u003cp\u003eThe version parser converts numeric version components (major, minor, patch and numeric pre-release/build identifiers) to integers without bounding their length. A single large all-digit component therefore forces a super-linear, non-yielding base-10 to arbitrary-precision integer conversion (\u003ctt\u003eString.to_integer/1\u003c/tt\u003e, i.e. \u003ctt\u003e:erlang.binary_to_integer/1\u003c/tt\u003e) that pins a BEAM scheduler, and a larger component raises an uncaught \u003ctt\u003eSystemLimitError\u003c/tt\u003e that crashes the calling process. A single moderately sized string (around one megabyte) is enough; no authentication is required.\u003c/p\u003e\u003cp\u003eThis is reachable from the public entry points \u003ctt\u003eVersion.parse/1\u003c/tt\u003e, \u003ctt\u003eVersion.parse!/1\u003c/tt\u003e, \u003ctt\u003eVersion.match?/3\u003c/tt\u003e, \u003ctt\u003eVersion.compare/2\u003c/tt\u003e, and \u003ctt\u003eVersion.parse_requirement/1\u003c/tt\u003e, which applications routinely call on untrusted input such as HTTP parameters, dependency-manifest fields, and package metadata.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/version.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Version.Parser\u0027:parse_digits/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects Elixir: from 1.5.0 before 1.20.1.\u003c/p\u003e"
            }
          ],
          "value": "Uncontrolled Resource Consumption vulnerability in the Elixir standard library\u0027s Version module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion.\n\nThe version parser converts numeric version components (major, minor, patch and numeric pre-release/build identifiers) to integers without bounding their length. A single large all-digit component therefore forces a super-linear, non-yielding base-10 to arbitrary-precision integer conversion (String.to_integer/1, i.e. :erlang.binary_to_integer/1) that pins a BEAM scheduler, and a larger component raises an uncaught SystemLimitError that crashes the calling process. A single moderately sized string (around one megabyte) is enough; no authentication is required.\n\nThis is reachable from the public entry points Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, which applications routinely call on untrusted input such as HTTP parameters, dependency-manifest fields, and package metadata.\n\nThis vulnerability is associated with program files lib/version.ex and program routines \u0027Elixir.Version.Parser\u0027:parse_digits/2.\n\nThis issue affects Elixir: from 1.5.0 before 1.20.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T04:43:08.517Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/elixir-lang/elixir/security/advisories/GHSA-w2h8-8x3g-278p"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-49762.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-49762"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/elixir-lang/elixir/commit/c64417d72fd5c7d09e963ca3ac5fa2b140978d9e"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Unbounded integer parsing in the Version module enables CPU and memory exhaustion denial of service",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-49762",
    "datePublished": "2026-06-09T14:04:07.405Z",
    "dateReserved": "2026-06-01T13:45:22.449Z",
    "dateUpdated": "2026-06-10T04:43:08.517Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43966 (GCVE-0-2026-43966)

Vulnerability from cvelistv5 – Published: 2026-06-08 16:34 – Updated: 2026-06-09 04:38
VLAI?
Title
HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2
Summary
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and ", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20–0x7E, excluding " and \), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \r\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting. This issue affects cowlib from 2.9.0.
CWE
  • CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Assigner
EEF
Impacted products
Vendor Product Version
ninenines cowlib Affected: 2.9.0 (semver)
    cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*
Create a notification for this product.
    ninenines cowlib Affected: a8b793db3d6ffe91d62f81baf41b1dab4cd78fb6 (git)
    cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Loïc Hoguin
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-43966",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-08T18:37:59.853576Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-08T18:38:08.160Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "cow_http_struct_hd"
          ],
          "packageName": "cowlib",
          "packageURL": "pkg:hex/cowlib",
          "product": "cowlib",
          "programFiles": [
            "src/cow_http_struct_hd.erl"
          ],
          "programRoutines": [
            {
              "name": "cow_http_struct_hd:escape_string/2"
            },
            {
              "name": "cow_http_struct_hd:bare_item/1"
            }
          ],
          "repo": "https://github.com/ninenines/cowlib",
          "vendor": "ninenines",
          "versions": [
            {
              "status": "affected",
              "version": "2.9.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "cow_http_struct_hd"
          ],
          "packageName": "ninenines/cowlib",
          "packageURL": "pkg:github/ninenines/cowlib",
          "product": "cowlib",
          "programFiles": [
            "src/cow_http_struct_hd.erl"
          ],
          "programRoutines": [
            {
              "name": "cow_http_struct_hd:escape_string/2"
            },
            {
              "name": "cow_http_struct_hd:bare_item/1"
            }
          ],
          "repo": "https://github.com/ninenines/cowlib",
          "vendor": "ninenines",
          "versions": [
            {
              "status": "affected",
              "version": "a8b793db3d6ffe91d62f81baf41b1dab4cd78fb6",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe application must pass attacker-controlled data as a string value into \u003ctt\u003ecow_http_struct_hd:item/1\u003c/tt\u003e (or a wrapper that delegates to it). Applications that construct structured-fields header values exclusively from trusted, application-controlled values are not affected.\u003c/p\u003e"
            }
          ],
          "value": "The application must pass attacker-controlled data as a string value into cow_http_struct_hd:item/1 (or a wrapper that delegates to it). Applications that construct structured-fields header values exclusively from trusted, application-controlled values are not affected."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.9.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Lo\u00efc Hoguin"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ecow_http_struct_hd:escape_string/2\u003c/tt\u003e in cowlib only escapes \u003ctt\u003e\\\u003c/tt\u003e and \u003ctt\u003e\"\u003c/tt\u003e, passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20\u20130x7E, excluding \u003ctt\u003e\"\u003c/tt\u003e and \u003ctt\u003e\\\u003c/tt\u003e), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via \u003ctt\u003ecow_http_struct_hd:item/1\u003c/tt\u003e (or a higher-level wrapper such as \u003ctt\u003ecow_http_hd:wt_protocol/1\u003c/tt\u003e) from attacker-controlled input can have \u003ctt\u003e\\r\\n\u003c/tt\u003e injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting.\u003c/p\u003e\u003cp\u003eThis issue affects cowlib from 2.9.0.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values.\n\ncow_http_struct_hd:escape_string/2 in cowlib only escapes \\ and \", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20\u20130x7E, excluding \" and \\), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \\r\\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting.\n\nThis issue affects cowlib from 2.9.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-34",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-34 HTTP Response Splitting"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-113",
              "description": "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T04:38:15.827Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "related",
            "third-party-advisory"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-43966.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-43966"
        },
        {
          "tags": [
            "mitigation"
          ],
          "url": "https://github.com/ninenines/cowboy/commit/f77cb9b5e730e300fffb551db1ba5d1c4ed878ef"
        },
        {
          "tags": [
            "mitigation"
          ],
          "url": "https://github.com/ninenines/gun/commit/4f35609eb37109b106a863fc9ba83d7ee64e3e42"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eValidate all values passed into structured-fields header builders (directly via \u003ctt\u003ecow_http_struct_hd:item/1\u003c/tt\u003e or indirectly via higher-level wrappers) before calling the encoder. Reject any value that is not from a trusted, application-controlled source or that contains CR (\u003ctt\u003e\\r\u003c/tt\u003e) or LF (\u003ctt\u003e\\n\u003c/tt\u003e) bytes.\u003c/p\u003e\u003cp\u003eApplications using cowboy 2.16.0 or later are protected on the server side by the \u003ctt\u003einvalid_response_headers\u003c/tt\u003e option (defaults to \u003ctt\u003eerror_terminate\u003c/tt\u003e), which rejects any outgoing response header value containing CR or LF before it reaches the wire. Applications using gun 2.4.0 or later are protected on the client side by the \u003ctt\u003einvalid_request_headers\u003c/tt\u003e request option (defaults to \u003ctt\u003eraise\u003c/tt\u003e), which raises an exception when an outgoing request header value contains CR or LF.\u003c/p\u003e"
            }
          ],
          "value": "Validate all values passed into structured-fields header builders (directly via cow_http_struct_hd:item/1 or indirectly via higher-level wrappers) before calling the encoder. Reject any value that is not from a trusted, application-controlled source or that contains CR (\\r) or LF (\\n) bytes.\n\nApplications using cowboy 2.16.0 or later are protected on the server side by the invalid_response_headers option (defaults to error_terminate), which rejects any outgoing response header value containing CR or LF before it reaches the wire. Applications using gun 2.4.0 or later are protected on the client side by the invalid_request_headers request option (defaults to raise), which raises an exception when an outgoing request header value contains CR or LF."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-43966",
    "datePublished": "2026-06-08T16:34:33.364Z",
    "dateReserved": "2026-05-04T18:23:25.573Z",
    "dateUpdated": "2026-06-09T04:38:15.827Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}