CVE-2026-23940
Received Received - Intake
Uncontrolled Resource Consumption in Hex.pm Causes Denial of Service

Publication date: 2026-03-13

Last updated on: 2026-04-06

Assigner: EEF

Description
Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of service for package publishing and potentially other package-processing functionality. This issue affects hexpm: before 495f01607d3eae4aed7ad09b2f54f31ec7a7df01; hex.pm: before 2026-03-10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23940
EUVD
EUVD-2026-12050
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hex hexpm to 2026-03-09 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-23940 is an Uncontrolled Resource Consumption vulnerability in Hex.pm, a package repository system. It occurs when an attacker publishes an oversized package, causing Hex.pm to run out of memory while extracting the uploaded package tarball. This excessive memory allocation can terminate the application instance handling the request.'}, {'type': 'paragraph', 'content': "The root cause is that the system previously loaded large tarballs fully into memory during processing, which could exhaust available memory. The vulnerability allows attackers to cause a denial of service by overwhelming the system's memory resources."}] [2]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to a denial of service (DoS) condition in Hex.pm by causing the application instance to terminate due to memory exhaustion. This disrupts package publishing and potentially other package-processing functionalities.'}, {'type': 'paragraph', 'content': "An attacker can exploit this by uploading very large packages or orchestrating multiple simultaneous large package uploads, which can overwhelm the system's memory and cause service outages."}] [2]

Compliance Impact

I don't know

Detection Guidance

This vulnerability manifests as excessive memory consumption during the extraction of uploaded package tarballs, which can cause the Hex.pm application instance to terminate and result in denial of service.

Detection can focus on monitoring memory usage spikes and application crashes related to package publishing activities.

  • Monitor system memory usage and application logs for out-of-memory errors or crashes during package upload or extraction.
  • Use commands like `top`, `htop`, or `free -m` on the server hosting Hex.pm to observe memory consumption during package publishing.
  • Check application logs for errors related to tarball extraction failures or unexpected termination.
  • If possible, enable debug logging for package uploads to capture oversized tarball uploads or failures.
Mitigation Strategies

Immediate mitigation steps include preventing the upload of oversized packages and applying the patch that addresses this vulnerability.

  • Enforce maximum tarball size limits (e.g., 16MB compressed and 128MB uncompressed) to reject large package uploads.
  • Update Hex.pm to the fixed version that includes commit 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 or later, which implements streaming uploads to disk and size validations.
  • Monitor and limit concurrent package publishing requests to reduce the risk of memory exhaustion.
  • Consider temporarily disabling package publishing if patching is not immediately possible.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23940. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart