EEF-CVE-2026-49762

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-49762.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-49762.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2026-49762

Aliases

CVE-2026-49762
GHSA-w2h8-8x3g-278p

Published

2026-06-09T14:04:07.405Z

Modified

2026-06-09T14:56:31.079520638Z

Severity

5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Unbounded integer parsing in the Version module enables CPU and memory exhaustion denial of service

Details

Summary

Uncontrolled Resource Consumption vulnerability in the Elixir standard library's Version module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion.

The version parser converts numeric version components (major, minor, patch and numeric pre-release/build identifiers) to integers without bounding their length. A single large all-digit component therefore forces a super-linear, non-yielding base-10 to arbitrary-precision integer conversion (String.to_integer/1, i.e. :erlang.binary_to_integer/1) that pins a BEAM scheduler, and a larger component raises an uncaught SystemLimitError that crashes the calling process. A single moderately sized string (around one megabyte) is enough; no authentication is required.

This is reachable from the public entry points Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, which applications routinely call on untrusted input such as HTTP parameters, dependency-manifest fields, and package metadata.

This vulnerability is associated with program files lib/version.ex and program routines 'Elixir.Version.Parser':parse_digits/2.

This issue affects Elixir: from 1.5.0 before 1.20.1.

Database specific

{
    "cpe_ids": [
        "cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*"
    ],
    "capec_ids": [
        "CAPEC-130"
    ],
    "cwe_ids": [
        "CWE-400"
    ]
}

References

Credits

- Peter Ullrich - FINDER
- José Valim - REMEDIATION_DEVELOPER
- Eric Meadows-Jönsson - REMEDIATION_REVIEWER
- Jonatan Männchen - ANALYST

Affected packages

Git / github.com/elixir-lang/elixir.git

Affected ranges

Type: GIT
Repo: https://github.com/elixir-lang/elixir.git
Events: Introduced

63e186aea94395897dc4964d82d250130c01ec25

Fixed

c64417d72fd5c7d09e963ca3ac5fa2b140978d9e

Affected versions

v1.*

v1.15.0-rc.0

v1.15.0-rc.1

v1.20.0-rc.0

v1.20.0-rc.1

v1.20.0-rc.2

v1.20.0-rc.3

v1.20.0-rc.4

v1.20.0-rc.5

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-49762.json"