CVE Catalog

CVE-2026-48854

HighCVSS 8.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

26th percentile — higher than 26% of all known CVEs

Summary

A vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming large or slow-trickle unary request bodies. The lack of size limits for accumulated data and infinite read timeouts enable uncontrolled memory growth.

Risk Assessment

The organization may experience server crashes due to memory exhaustion, leading to service availability interruptions. Attackers can exploit this vulnerability to disrupt system operations.

Recommendation

It is recommended to implement size limits for transmitted data and set appropriate timeouts for connections. Additionally, update grpc to version 1.0.0 or newer.

Original NVD description (English source)

Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node. This issue affects grpc from 0.3.1 before 1.0.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS