EEF-CVE-2026-32686
- Source
- https://cna.erlef.org/osv/EEF-CVE-2026-32686.html
- Import Source
- https://cna.erlef.org/osv/EEF-CVE-2026-32686.json
- JSON Data
- https://api.osv.dev/v1/vulns/EEF-CVE-2026-32686
- Aliases
-
- CVE-2026-32686
- GHSA-rhv4-8758-jx7v
- Published
- 2026-05-07T14:04:47.222Z
- Modified
- 2026-05-27T16:00:09.066671332Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Unbounded exponent in decimal enables unauthenticated DoS
- Details
-
Summary
Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service.
The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.tostring/2 with :normal or :xsd format, Decimal.tointeger/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM.
Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash.
This issue affects decimal: from 0.1.0 before 3.0.0.
- Database specific
{ "cpe_ids": [ "cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*" ], "cwe_ids": [ "CWE-400" ], "capec_ids": [ "CAPEC-130" ] }- References
- Credits
-
-
- Peter Ullrich - FINDER
-
- Eric Meadows-Jönsson / Hex.pm - REMEDIATION_DEVELOPER
-
- José Valim - REMEDIATION_REVIEWER
-
- Wojtek Mach - REMEDIATION_REVIEWER
-
- Jonatan Männchen / EEF - ANALYST
-
- ruslandoga - REMEDIATION_REVIEWER
-
- Matthew Johnston - REMEDIATION_REVIEWER
-
Affected packages
Hex / decimal
Package
- Name
- decimal
- Purl
- pkg:hex/decimal