Description
Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0.
Published: 2026-04-02
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Ash Framework, a declarative framework for Elixir applications, had a flaw in the function Ash.Type.Module.cast_input/2 that allowed an attacker to create new Erlang atoms from any user‑supplied binary starting with "Elixir." without verifying module existence. Because atoms are never garbage‑collected and the BEAM atom table has a fixed limit of about 1,048,576 entries, repeated use of this function can exhaust the table and crash the BEAM virtual machine, causing a denial of service for the entire application. The weakness is classified as CWE‑400, uncontrolled resource consumption.

Affected Systems

The affected product is the Ash Framework (ash-project:ash). All versions prior to 3.22.0 are vulnerable; the issue was addressed in the 3.22.0 release.

Risk and Exploitability

The CVSS base score is 8.2, indicating high severity. No EPSS score is available and the vulnerability is not listed in KEV. The likely attack vector is through any input that is passed to a :module typed attribute or function argument; if an attacker can submit such data remotely—as through an API or web form—they can induce atom exhaustion. Successful exploitation would cause a BEAM VM crash and result in service downtime. No public exploit is known, but the easy trigger makes this a high‑risk vulnerability for exposed services.

Generated by OpenCVE AI on April 2, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ash Framework to version 3.22.0 or newer.
  • Validate or restrict values supplied to :module attributes to ensure they contain only existing module names.
  • Monitor atom usage and watch for abnormal increases in atom count, and consider limiting the application to a smaller BEAM instance if feasible.

Generated by OpenCVE AI on April 2, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jjf9-w5vj-r6vp Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash
History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ash-project
Ash-project ash
Vendors & Products Ash-project
Ash-project ash

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0.
Title Ash Framework: Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ash-project Ash
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T13:04:09.413Z

Reserved: 2026-03-30T17:15:52.499Z

Link: CVE-2026-34593

cve-icon Vulnrichment

Updated: 2026-04-03T13:04:00.511Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T18:16:31.360

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:17:14Z

Weaknesses