CVE-2026-23940
Uncontrolled Resource Consumption in Hex.pm Causes Denial of Service
Publication date: 2026-03-13
Last updated on: 2026-04-06
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hex | hexpm | to 2026-03-09 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-23940 is an Uncontrolled Resource Consumption vulnerability in Hex.pm, a package repository system. It occurs when an attacker publishes an oversized package, causing Hex.pm to run out of memory while extracting the uploaded package tarball. This excessive memory allocation can terminate the application instance handling the request.'}, {'type': 'paragraph', 'content': "The root cause is that the system previously loaded large tarballs fully into memory during processing, which could exhaust available memory. The vulnerability allows attackers to cause a denial of service by overwhelming the system's memory resources."}] [2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to a denial of service (DoS) condition in Hex.pm by causing the application instance to terminate due to memory exhaustion. This disrupts package publishing and potentially other package-processing functionalities.'}, {'type': 'paragraph', 'content': "An attacker can exploit this by uploading very large packages or orchestrating multiple simultaneous large package uploads, which can overwhelm the system's memory and cause service outages."}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as excessive memory consumption during the extraction of uploaded package tarballs, which can cause the Hex.pm application instance to terminate and result in denial of service.
Detection can focus on monitoring memory usage spikes and application crashes related to package publishing activities.
- Monitor system memory usage and application logs for out-of-memory errors or crashes during package upload or extraction.
- Use commands like `top`, `htop`, or `free -m` on the server hosting Hex.pm to observe memory consumption during package publishing.
- Check application logs for errors related to tarball extraction failures or unexpected termination.
- If possible, enable debug logging for package uploads to capture oversized tarball uploads or failures.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the upload of oversized packages and applying the patch that addresses this vulnerability.
- Enforce maximum tarball size limits (e.g., 16MB compressed and 128MB uncompressed) to reject large package uploads.
- Update Hex.pm to the fixed version that includes commit 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 or later, which implements streaming uploads to disk and size validations.
- Monitor and limit concurrent package publishing requests to reduce the risk of memory exhaustion.
- Consider temporarily disabling package publishing if patching is not immediately possible.