CVE-2026-8469
Atom Table Exhaustion in Phoenix Storybook
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phenixdigital | phoenix_storybook | From 0.2.0 (inc) to 1.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability primarily causes an unauthenticated denial-of-service (DoS) by exhausting the BEAM atom table, leading to a crash of the entire BEAM node and disruption of availability.
There is no information in the provided context or resources indicating that this vulnerability leads to unauthorized access, data leakage, or compromise of personal or sensitive data.
Therefore, based on the available information, this vulnerability impacts system availability but does not directly affect compliance with data protection standards or regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal data.
Can you explain this vulnerability to me?
CVE-2026-8469 is a vulnerability in the phoenix_storybook package where multiple LiveView event handlers convert user-supplied strings into BEAM atoms without validation using String.to_atom/1.
Because BEAM atoms are never garbage-collected, each unique attacker-controlled string permanently occupies a slot in the atom table.
An attacker can exploit this by sending many unique strings, exhausting the atom table limit (~1,048,576 atoms), which causes the entire BEAM node to crash and take down all running applications.
This issue affects phoenix_storybook versions from 0.2.0 up to but not including 1.1.0.
How can this vulnerability impact me? :
This vulnerability can lead to an unauthenticated denial-of-service (DoS) attack against applications using the affected phoenix_storybook versions.
By exhausting the BEAM atom table through attacker-controlled input, the entire BEAM node crashes, causing all applications running on it to become unavailable.
The impact is primarily on availability, potentially causing downtime and disruption of services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the BEAM atom table usage on your system. Since the issue involves exhaustion of the atom table due to unbounded creation of atoms from user input, unusually high or rapidly increasing atom counts may indicate an attack or exploitation attempt.
You can check the current number of atoms used by the BEAM VM with the following Erlang command:
- erl -eval 'erlang:system_info(atom_count), halt().' -noshell
Additionally, monitoring network traffic to the phoenix_storybook route for unusual or excessive LiveView event parameters that may be attempting to create new atoms can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade phoenix_storybook to version 1.1.0 or later, where the vulnerability has been fixed.
The fix involves replacing unsafe conversions of user-supplied strings to atoms (using String.to_atom/1) with safer alternatives like String.to_existing_atom/1, and validating that only predefined atoms are used.
If immediate upgrade is not possible, consider restricting or disabling access to the phoenix_storybook route, especially in production or publicly accessible environments, to prevent unauthenticated attackers from sending malicious LiveView events.