Description
Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion.

The MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it.

This issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7.
Published: 2026-06-11
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from the MP4 box header parser converting each four‑byte box name to a BEAM atom via String.to_atom/1 without validating the input. Each unique name is permanently interned; when an attacker supplies a crafted MP4 file laden with unique four‑byte identifiers, the atom table—whose limit is roughly one million atoms—is exhausted, causing the BEAM node to abort and all applications running on it to terminate. The effect is an unauthenticated denial‑of‑service.

Affected Systems

The flaw affects the MembraneFramework membrane_mp4_plugin component. Versions from 0.3.0 up to but not including 0.36.7 are vulnerable. Any deployment that uses this plugin within the Membrane media pipeline and processes MP4 files from untrusted sources is at risk.

Risk and Exploitability

With a CVSS score of 5.9 the vulnerability is classified as moderate severity. The EPSS score is not available, and it is not listed in CISA’s KEV catalog. The likely attack vector is the transmission of a malicious MP4 file to the node—no authentication is required, simply any interface that accepts MP4 input. Once the atom table is exhausted, the entire BEAM node halts, leading to complete service disruption.

Generated by OpenCVE AI on June 11, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade membrane_mp4_plugin to version 0.36.7 or later, which removes the insecure atom conversion.
  • Temporarily whitelist or validate MP4 box names, rejecting files that contain a large number of unique four‑byte identifiers to prevent atom table exhaustion.
  • Run the plugin in an isolated BEAM node or container and configure automatic restart to limit impact on other services.

Generated by OpenCVE AI on June 11, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion. The MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it. This issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7.
Title Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin
First Time appeared Membraneframework
Membraneframework membrane Mp4 Plugin
Weaknesses CWE-770
CPEs cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:*
Vendors & Products Membraneframework
Membraneframework membrane Mp4 Plugin
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Membraneframework Membrane Mp4 Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-11T12:11:18.865Z

Reserved: 2026-06-09T11:01:47.529Z

Link: CVE-2026-53423

cve-icon Vulnrichment

Updated: 2026-06-11T12:09:36.211Z

cve-icon NVD

Status : Received

Published: 2026-06-11T12:16:31.810

Modified: 2026-06-11T13:16:33.600

Link: CVE-2026-53423

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T12:30:14Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling