CVE-2026-48854
HIGHUnbounded request body accumulation causes memory exhaustion in elixir-grpc/grpc
Title source: cnaDescription
Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node. This issue affects grpc from 0.3.1 before 1.0.0.
References (4)
Core 4
Core References
Vendor Advisory vendor-advisory
related
https://github.com/elixir-grpc/grpc/security/advisories/GHSA-q8gf-9rvj-gmgj
Related related
https://cna.erlef.org/cves/CVE-2026-48854.html
Related related
https://osv.dev/vulnerability/EEF-CVE-2026-48854
Scores
CVSS v4
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Details
CWE
CWE-770
Status
published
Products (2)
elixir-grpc/grpc
0.3.1 - 1.0.0
elixir-grpc/grpc
d1abe70a6cad6dac4a3f8235d883d7c896989560 - 49e18c3ec6bb9afe2f712caad3dbab5c56a68a00
Published
Jun 15, 2026
Tracked Since
Jun 16, 2026