Home

Description

Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion. The MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it. This issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7.

PUBLISHED Reserved 2026-06-09 | Published 2026-06-11 | Updated 2026-06-12 | Assigner EEF




MEDIUM: 5.9CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-770 Allocation of Resources Without Limits or Throttling

Product status

Default status
unaffected

0.3.0 (semver) before 0.36.7
affected

Default status
unaffected

ae4bf04c393aa1562f3df3d33e20bc5cb8130de2 (git) before 56373d1ddc86968e55fbde795c14eeba24357b57
affected

Credits

Łukasz Kita finder

Łukasz Kita remediation developer

Mateusz Front remediation developer

Jonatan Männchen / EEF analyst

References

github.com/...plugin/security/advisories/GHSA-43hj-fxwj-49qw exploit

github.com/...plugin/security/advisories/GHSA-43hj-fxwj-49qw vendor-advisory related

cna.erlef.org/cves/CVE-2026-53423.html related

osv.dev/vulnerability/EEF-CVE-2026-53423 related

github.com/...ommit/56373d1ddc86968e55fbde795c14eeba24357b57 patch

cve.org (CVE-2026-53423)

nvd.nist.gov (CVE-2026-53423)

Download JSON