CVE-2026-32686

Source
https://cve.org/CVERecord?id=CVE-2026-32686
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32686.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32686
Aliases
Published
2026-05-07T14:04:47.222Z
Modified
2026-07-08T08:12:47.123729575Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Unbounded exponent in decimal enables unauthenticated DoS
Details

Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service.

The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.tostring/2 with :normal or :xsd format, Decimal.tointeger/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM.

Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash.

This issue affects decimal: from 0.1.0 before 3.0.0.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "bc11f4a2b6fb61fc1360a0ab4e79141bba918841"
                },
                {
                    "fixed": "6a523f3a73b8c9974540e21c7aa88f1258bb35ae"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32686.json",
    "cna_assigner": "EEF",
    "cwe_ids": [
        "CWE-400"
    ]
}
References

Affected packages

Git / github.com/ericmj/decimal

Affected ranges

Type
GIT
Repo
https://github.com/ericmj/decimal
Events
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0.1.0"
        },
        {
            "fixed": "3.0.0"
        }
    ]
}

Affected versions

v0.*
v0.1.0
v0.1.1
v0.1.2
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.1.2
v1.2.0
v1.3.0
v1.3.1
v1.4.0
v1.4.1
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.8.1
v1.9.0-rc.0
v2.*
v2.0.0
v2.0.0-rc.0
v2.1.0
v2.1.1
v2.2.0
v2.3.0
v2.4.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32686.json"