CVE-2026-32686
Uncontrolled Resource Consumption in decimal Library
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ericmj | decimal | From 0.1.0 (inc) to 3.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32686 is an Uncontrolled Resource Consumption vulnerability in the Erlang decimal library versions 0.1.0 to before 3.0.0. The issue arises because the decimal library does not limit the size of the exponent when parsing decimal input, allowing extremely large exponents such as "1e1000000000" to be accepted without error.
When arithmetic operations, rounding, integer conversion, or string formatting functions are called on such large exponent values, the library allocates memory proportional to the exponent size. This can exhaust available memory and crash the BEAM virtual machine, causing a denial-of-service (DoS) condition.
Any application that accepts user-supplied decimal input and performs these operations is vulnerable, and a single malicious request can trigger an out-of-memory crash.
How can this vulnerability impact me? :
This vulnerability can lead to a denial-of-service (DoS) attack by exhausting system memory. When an attacker sends a decimal input with a very large exponent, the system allocates excessive memory during arithmetic or conversion operations, potentially consuming over 7GB of memory.
The result is an out-of-memory crash of the BEAM runtime, which can cause the affected application or service to become unavailable.
Any system processing user-supplied decimal values, such as JSON inputs or form fields, is at risk, making it possible for unauthenticated remote attackers to disrupt service with a single malicious request.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually large decimal exponent inputs in your application logs or network traffic, especially inputs like "1e1000000000" or similarly large exponents.
Since the vulnerability involves excessive memory consumption triggered by large decimal exponents, you can detect it by checking for high memory usage or crashes in the BEAM VM when processing decimal inputs.
There are no specific commands provided in the resources, but general detection steps include:
- Inspect application logs or input validation logs for decimal inputs with very large exponents.
- Monitor BEAM VM memory usage and crash logs for out-of-memory errors related to decimal operations.
- Use network monitoring tools to capture and analyze incoming requests containing decimal values with large exponents.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the decimal library to version 3.0.0 or later, where the vulnerability is fixed.
The fix enforces limits on decimal exponent size and digit counts by default, preventing unbounded resource consumption.
If upgrading immediately is not possible, you can mitigate the issue by applying limits on user-supplied decimal inputs in your application, such as restricting the exponent size and digit count before processing.
The patch changes Decimal.Context defaults to enforce maximum exponent and digit limits, which can be configured or overridden if needed.
- Upgrade the decimal library to version 3.0.0 or later.
- Validate and sanitize user inputs to reject decimal values with excessively large exponents.
- Monitor application memory usage and BEAM VM stability to detect potential exploitation attempts.