Description
Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service.

The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM.

Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash.

This issue affects decimal: from 0.1.0 before 3.0.0.
Published: 2026-05-07
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The decimal library accepts numeric strings that contain arbitrarily large exponents without performing bounds checks. A value such as "1e1000000000" is parsed successfully, yet subsequent arithmetic, conversion, or formatting operations allocate memory proportional to the exponent. This uncontrolled allocation can exhaust the BEAM VM’s memory and cause the process to terminate, resulting in a denial of service. The vulnerability is classified as an uncontrolled resource consumption flaw (CWE‑400) and can be triggered by a single unauthenticated request.

Affected Systems

All releases of the ericmj decimal library from version 0.1.0 up through any release before 3.0.0 are affected. Any application that includes one of those versions and accepts user‑supplied decimal strings is vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate‑to‑high impact. While the EPSS score is not available and the vulnerability is not listed in CISA KEV, the lack of authentication or privilege requirements means the exploitability is high for any exposed application that processes untrusted decimal input. An attacker only needs to send a large‑exponent decimal string to the target, and the out‑of‑memory crash can take the process or entire node down if not mitigated.

Generated by OpenCVE AI on May 7, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to decimal v3.0.0 or later, which limits exponent size.
  • Validate or sanitize user‑supplied decimal strings to reject excessively large exponents before they reach the library.
  • Configure application‑level memory limits or process isolation so that a crash does not bring down the entire system and alerts administrators to potential DoS attempts.

Generated by OpenCVE AI on May 7, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM. Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash. This issue affects decimal: from 0.1.0 before 3.0.0.
Title Unbounded exponent in decimal enables unauthenticated DoS
First Time appeared Ericmj
Ericmj decimal
Weaknesses CWE-400
CPEs cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*
Vendors & Products Ericmj
Ericmj decimal
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ericmj Decimal
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-07T14:04:47.222Z

Reserved: 2026-03-13T09:12:14.474Z

Link: CVE-2026-32686

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-07T15:16:05.370

Modified: 2026-05-07T15:49:13.797

Link: CVE-2026-32686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:24:39Z

Weaknesses