Home

Description

Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node. This issue affects grpc from 0.3.1 before 1.0.0.

PUBLISHED Reserved 2026-05-25 | Published 2026-06-15 | Updated 2026-06-17 | Assigner EEF




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-770 Allocation of Resources Without Limits or Throttling

Product status

Default status
unaffected

0.3.1 (semver) before 1.0.0
affected

Default status
unaffected

d1abe70a6cad6dac4a3f8235d883d7c896989560 (git) before 49e18c3ec6bb9afe2f712caad3dbab5c56a68a00
affected

Credits

Peter Ullrich finder

Paulo Valente remediation developer

Jonatan Männchen analyst

References

github.com/...c/grpc/security/advisories/GHSA-q8gf-9rvj-gmgj exploit

github.com/...c/grpc/security/advisories/GHSA-q8gf-9rvj-gmgj vendor-advisory related

cna.erlef.org/cves/CVE-2026-48854.html related

osv.dev/vulnerability/EEF-CVE-2026-48854 related

github.com/...ommit/49e18c3ec6bb9afe2f712caad3dbab5c56a68a00 patch

cve.org (CVE-2026-48854)

nvd.nist.gov (CVE-2026-48854)

Download JSON