CVE-2026-32686
Deferred Deferred - Pending Action
Uncontrolled Resource Consumption in decimal Library

Publication date: 2026-05-07

Last updated on: 2026-05-08

Assigner: EEF

Description
Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM. Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash. This issue affects decimal: from 0.1.0 before 3.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-08
Generated
2026-06-17
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32686
EUVD
EUVD-2026-28376
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ericmj decimal From 0.1.0 (inc) to 3.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32686 is an Uncontrolled Resource Consumption vulnerability in the Erlang decimal library versions 0.1.0 to before 3.0.0. The issue arises because the decimal library does not limit the size of the exponent when parsing decimal input, allowing extremely large exponents such as "1e1000000000" to be accepted without error.

When arithmetic operations, rounding, integer conversion, or string formatting functions are called on such large exponent values, the library allocates memory proportional to the exponent size. This can exhaust available memory and crash the BEAM virtual machine, causing a denial-of-service (DoS) condition.

Any application that accepts user-supplied decimal input and performs these operations is vulnerable, and a single malicious request can trigger an out-of-memory crash.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) attack by exhausting system memory. When an attacker sends a decimal input with a very large exponent, the system allocates excessive memory during arithmetic or conversion operations, potentially consuming over 7GB of memory.

The result is an out-of-memory crash of the BEAM runtime, which can cause the affected application or service to become unavailable.

Any system processing user-supplied decimal values, such as JSON inputs or form fields, is at risk, making it possible for unauthenticated remote attackers to disrupt service with a single malicious request.

Detection Guidance

This vulnerability can be detected by monitoring for unusually large decimal exponent inputs in your application logs or network traffic, especially inputs like "1e1000000000" or similarly large exponents.

Since the vulnerability involves excessive memory consumption triggered by large decimal exponents, you can detect it by checking for high memory usage or crashes in the BEAM VM when processing decimal inputs.

There are no specific commands provided in the resources, but general detection steps include:

  • Inspect application logs or input validation logs for decimal inputs with very large exponents.
  • Monitor BEAM VM memory usage and crash logs for out-of-memory errors related to decimal operations.
  • Use network monitoring tools to capture and analyze incoming requests containing decimal values with large exponents.
Mitigation Strategies

The immediate mitigation step is to upgrade the decimal library to version 3.0.0 or later, where the vulnerability is fixed.

The fix enforces limits on decimal exponent size and digit counts by default, preventing unbounded resource consumption.

If upgrading immediately is not possible, you can mitigate the issue by applying limits on user-supplied decimal inputs in your application, such as restricting the exponent size and digit count before processing.

The patch changes Decimal.Context defaults to enforce maximum exponent and digit limits, which can be configured or overridden if needed.

  • Upgrade the decimal library to version 3.0.0 or later.
  • Validate and sanitize user inputs to reject decimal values with excessively large exponents.
  • Monitor application memory usage and BEAM VM stability to detect potential exploitation attempts.
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-32686 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32686. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart