CVE-2026-23940
MEDIUMhexpm < 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 - Denial of Service via Oversized Package Upload
Title source: llmDescription
Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of service for package publishing and potentially other package-processing functionality. This issue affects hexpm: before 495f01607d3eae4aed7ad09b2f54f31ec7a7df01; hex.pm: before 2026-03-10.
References (4)
Core 4
Core References
Vendor Advisory vendor-advisory
related
https://github.com/hexpm/hexpm/security/advisories/GHSA-jp8w-gxf6-8hcr
Related related
https://cna.erlef.org/cves/CVE-2026-23940.html
Related related
https://osv.dev/vulnerability/EEF-CVE-2026-23940
Scores
CVSS v3
6.5
EPSS
0.0007
EPSS Percentile
21.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (4)
hex/hexpm
< 2026-03-09
hexpm/hex.pm
< 2026-03-10
hexpm/hexpm
< 495f01607d3eae4aed7ad09b2f54f31ec7a7df01
hexpm/hexpm
pkg:github/hexpm/hexpm@0 - pkg:github/hexpm/hexpm@495f01607d3eae4aed7ad09b2f54f31ec7a7df01
Published
Mar 13, 2026
Tracked Since
Mar 14, 2026