Home

Description

Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server. 'Elixir.GRPC.Codec.Erlpack':decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type guard. Any unauthenticated peer that sends a request with Content-Type: application/grpc+erlpack can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process. This issue affects grpc from 0.4.0 before 1.0.0.

PUBLISHED Reserved 2026-05-25 | Published 2026-06-15 | Updated 2026-06-17 | Assigner EEF




CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-502 Deserialization of Untrusted Data

CWE-770 Allocation of Resources Without Limits or Throttling

Product status

Default status
unaffected

0.4.0 (semver) before 1.0.0
affected

Default status
unaffected

25bcc569fe2cc4478531a6c546c923205fc751c9 (git) before 272a97a5ea1b46af1819f14a831fcf35fc91f992
affected

Credits

Peter Ullrich finder

Paulo Valente remediation developer

Jonatan Männchen analyst

References

github.com/...c/grpc/security/advisories/GHSA-grp7-v8xh-rj7h exploit

github.com/...c/grpc/security/advisories/GHSA-grp7-v8xh-rj7h vendor-advisory related

cna.erlef.org/cves/CVE-2026-48853.html related

osv.dev/vulnerability/EEF-CVE-2026-48853 related

github.com/...ommit/272a97a5ea1b46af1819f14a831fcf35fc91f992 patch

cve.org (CVE-2026-48853)

nvd.nist.gov (CVE-2026-48853)

Download JSON