Description
Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0.
Published: 2026-04-02
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Ash Framework's cast_input/2 creates an Erlang atom from any user-supplied binary that starts with "Elixir." by calling Module.concat without first checking if the module exists. Since Erlang atoms are immutable and not garbage collected, each call consumes an entry in the BEAM atom table, which is hard‑wired to about one million entries. The unchecked atom creation therefore constitutes both input validation and resource exhaustion weaknesses (CWE‑400 and CWE‑770). If an attacker can supply such values to a field of type :module—e.g., through an API, form or other external input—they can force the atom table to overflow, causing the BEAM Virtual Machine to crash and the entire application to become unavailable, effectively a denial‑of‑service attack.

Affected Systems

All installations of the Ash Framework released before version 3.22.0 are affected. The issue impacts any instance where module‑typed attributes or arguments are exposed to untrusted input, including API endpoints, user‑supplied configurations, or external data sources. Users of the popular ash‑project:ash package should review whether their applications accept :module values from outside the system. Only the 3.22.0 revision or later includes the mitigation that validates the module before atom creation.

Risk and Exploitability

The vulnerability has a CVSS base score of 8.2, indicating high severity. Its EPSS score is lower than 1%, suggesting that exploitation is not common yet, and it is not listed in the CISA KEV catalog. Exploitation requires only the ability to submit arbitrary binary strings to a :module parameter, a capability that many web or API services provide. No privileged permissions are needed, and no complex setup is required; the attack simply drives the atom table until it overflows, leading to an immediate crash of the virtual machine. Because the BEAM atom table is a process‑global resource, the impact is system‑wide rather than confined to a single request or user.

Generated by OpenCVE AI on April 13, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ash Framework to version 3.22.0 or later
  • If an upgrade is not immediately possible, restrict the acceptance of :module values or validate that the referenced module exists before invoking cast_input/2
  • Monitor for unusual module loading activity

Generated by OpenCVE AI on April 13, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jjf9-w5vj-r6vp Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash
History

Mon, 13 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Ash-hq
Ash-hq ash Framework
Weaknesses CWE-770
CPEs cpe:2.3:a:ash-hq:ash_framework:*:*:*:*:*:*:*:*
Vendors & Products Ash-hq
Ash-hq ash Framework
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ash-project
Ash-project ash
Vendors & Products Ash-project
Ash-project ash

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0.
Title Ash Framework: Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ash-hq Ash Framework
Ash-project Ash
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T13:04:09.413Z

Reserved: 2026-03-30T17:15:52.499Z

Link: CVE-2026-34593

cve-icon Vulnrichment

Updated: 2026-04-03T13:04:00.511Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T18:16:31.360

Modified: 2026-04-13T18:37:04.500

Link: CVE-2026-34593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:57Z

Weaknesses