Description
Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server.

'Elixir.GRPC.Codec.Erlpack':decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type guard. Any unauthenticated peer that sends a request with Content-Type: application/grpc+erlpack can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process.

This issue affects grpc from 0.4.0 before 1.0.0.
Published: 2026-06-15
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from unsafe deserialization of Erlang terms in the elixir‑grpc grpc library. The codec Erlpack.decode calls :erlang.binary_to_term without safety checks or size limits, allowing an attacker to send arbitrary terms. This can cause atom table exhaustion and crash the BEAM node, or, if the term contains a fun, execute malicious code. The flaw is essentially a deserialization of untrusted data leading to remote code execution and denial of service.

Affected Systems

The affected product is elixir‑grpc grpc. Any installation of grpc between version 0.4.0 and before 1.0.0 that receives gRPC requests with the content type application/grpc+erlpack is vulnerable. The attack surface is present in any server using the Erlpack codec for deserialization.

Risk and Exploitability

The CVSS score of 9.2 marks this flaw as critical. The EPSS score is less than 1 percent, indicating a very low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. However, the attack requires no prior authentication and can be performed over any gRPC endpoint that accepts the vulnerable content type, making it potentially easily exploitable for targeted adversaries. Based on the description, the impact is likely to include loss of confidentiality, integrity, and availability of the affected server.

Generated by OpenCVE AI on June 18, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the elixir‑grpc grpc library to version 1.0.0 or later, which removes the unsafe Erlpack deserialization.
  • If an upgrade is not yet possible, filter or block incoming gRPC requests with the content type application/grpc+erlpack so that the vulnerable codec is never used.
  • Apply authentication and authorization controls to the gRPC service endpoints to restrict access to trusted peers only.
  • Consider using the :safe option with :erlang.binary_to_term in any custom codec logic to prevent atom table exhaustion and restrict size limits.

Generated by OpenCVE AI on June 18, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Critical


Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server. 'Elixir.GRPC.Codec.Erlpack':decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type guard. Any unauthenticated peer that sends a request with Content-Type: application/grpc+erlpack can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process. This issue affects grpc from 0.4.0 before 1.0.0.
Title Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc
First Time appeared Elixir-grpc
Elixir-grpc grpc
Weaknesses CWE-502
CWE-770
CPEs cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*
Vendors & Products Elixir-grpc
Elixir-grpc grpc
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Elixir-grpc Grpc
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-17T04:47:30.147Z

Reserved: 2026-05-25T20:44:10.696Z

Link: CVE-2026-48853

cve-icon Vulnrichment

Updated: 2026-06-16T14:44:54.804Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T23:16:45.663

Modified: 2026-06-16T15:35:16.600

Link: CVE-2026-48853

cve-icon Redhat

Severity : Critical

Publid Date: 2026-06-15T21:56:15Z

Links: CVE-2026-48853 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T00:30:14Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data

  • CWE-770

    Allocation of Resources Without Limits or Throttling