CVE Catalog

CVE-2026-53426

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile — higher than 3% of all known CVEs

Summary

A vulnerability in the MDEx library for Elixir/Erlang allows exhaustion of the atom table by processing a specially crafted JSON document. The json_to_node/1 function creates new atoms for each unique node_type value, which are never garbage collected, leading to a crash of the entire BEAM virtual machine.

Risk Assessment

An unauthenticated attacker can send a malicious JSON document causing a denial-of-service (DoS) of the entire Erlang node, stopping all processes running on it. This affects any application that passes untrusted input to MDEx.parse_document/2 with a {:json, json} source.

Recommendation

Immediately update the mdex library to version 0.13.2 or later. If an update is not possible, restrict access to the MDEx.parse_document/2 function for untrusted data or implement validation of JSON document size and structure.

Original NVD description (English source)

Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation. MDEx.parse_document/2 accepts a {:json, json} source. In lib/mdex.ex, the private json_to_node/1 function passes the attacker-controlled node_type value to Module.concat/1, which calls String.to_atom/1 and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique node_type at each (deeply nested) node mints one permanent atom per node. A single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the {:json, ...} source of MDEx.parse_document is exposed to an unauthenticated denial-of-service. This issue affects mdex from 0.4.3 before 0.13.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS