Description
Uncontrolled Resource Consumption vulnerability in the Elixir standard library's Version module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion.

The version parser converts numeric version components (major, minor, patch and numeric pre-release/build identifiers) to integers without bounding their length. A single large all-digit component therefore forces a super-linear, non-yielding base-10 to arbitrary-precision integer conversion (String.to_integer/1, i.e. :erlang.binary_to_integer/1) that pins a BEAM scheduler, and a larger component raises an uncaught SystemLimitError that crashes the calling process. A single moderately sized string (around one megabyte) is enough; no authentication is required.

This is reachable from the public entry points Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, which applications routinely call on untrusted input such as HTTP parameters, dependency-manifest fields, and package metadata.

This vulnerability is associated with program files lib/version.ex and program routines 'Elixir.Version.Parser':parse_digits/2.

This issue affects Elixir: from 1.5.0 before 1.20.1.
Published: 2026-06-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Elixir standard library’s Version module, which converts unrestricted numeric components of a version string into arbitrary‑precision integers without validating length. A single component consisting of a large sequence of digits triggers a non‑yielding conversion that consumes CPU time and, if the component is even larger, raises an uncaught SystemLimitError that crashes the calling process. This results in a denial of service that can be observed as prolonged CPU usage or an application crash. The weakness is classified as CWE‑400, uncontrolled resource consumption, and also as CWE‑770, reflecting the lack of bounds on resource allocation.

Affected Systems

Elixir, released by elixir‑lang, versions from 1.5.0 up to, but excluding, 1.20.1 are affected. Any installation of these releases that parses untrusted version strings—such as user‑supplied HTTP parameters, package metadata, or dependency manifest fields—faces the risk.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate impact. The EPSS score is 0.00152, below 1%, indicating a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited current exploitation data. The attack vector is inferred to be remote and unauthenticated, as the vulnerable parsing functions are publicly documented entry points and can be invoked by any requester that supplies a malicious version string. Successful exploitation would exhaust CPU and memory resources, potentially halting an application or the BEAM scheduler.

Generated by OpenCVE AI on June 18, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Elixir to version 1.20.1 or newer, which includes bounds checking on integer parsing in the Version module.
  • If an upgrade is not immediately possible, implement input validation that rejects numeric version components exceeding a reasonable length before passing them to the Version module.
  • Update dependency declarations to pin to the patched Elixir release, and run vulnerability scanners against all package metadata that may be parsed by the application.
  • Add monitoring for BEAM scheduler saturation and configure alerts to detect prolonged CPU usage or unexpected system limit errors, allowing rapid response to an ongoing denial‑of‑service attempt.

Generated by OpenCVE AI on June 18, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Uncontrolled Resource Consumption vulnerability in the Elixir standard library's Version module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion. The version parser converts numeric version components (major, minor, patch and numeric pre-release/build identifiers) to integers without bounding their length. A single large all-digit component therefore forces a super-linear, non-yielding base-10 to arbitrary-precision integer conversion (String.to_integer/1, i.e. :erlang.binary_to_integer/1) that pins a BEAM scheduler, and a larger component raises an uncaught SystemLimitError that crashes the calling process. A single moderately sized string (around one megabyte) is enough; no authentication is required. This is reachable from the public entry points Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, which applications routinely call on untrusted input such as HTTP parameters, dependency-manifest fields, and package metadata. This vulnerability is associated with program files lib/version.ex and program routines 'Elixir.Version.Parser':parse_digits/2. This issue affects Elixir: from 1.5.0 before 1.20.1.
Title Unbounded integer parsing in the Version module enables CPU and memory exhaustion denial of service
First Time appeared Elixir-lang
Elixir-lang elixir
Weaknesses CWE-400
CPEs cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*
Vendors & Products Elixir-lang
Elixir-lang elixir
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Elixir-lang Elixir
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-10T04:43:08.517Z

Reserved: 2026-06-01T13:45:22.449Z

Link: CVE-2026-49762

cve-icon Vulnrichment

Updated: 2026-06-09T14:49:00.483Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T14:16:44.317

Modified: 2026-06-09T14:47:47.457

Link: CVE-2026-49762

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-09T14:04:07Z

Links: CVE-2026-49762 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:15:03Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling