CVE-2026-48854
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: EEF

Description
Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node. This issue affects grpc from 0.3.1 before 1.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-48854
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elixir grpc From 0.3.1 (inc) to 1.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the elixir-grpc grpc server where the function 'Elixir.GRPC.Server.Adapters.Cowboy.Handler:read_full_body/3' accumulates incoming request data into a single binary without any size limit.

If a client sends a large or slow-trickle unary request body, the server keeps accumulating data indefinitely because there is no cap on the size.

Additionally, if the client does not provide a grpc-timeout header, the read timeout for each chunk is set to infinity, allowing the client to keep the connection alive indefinitely while memory usage grows.

As a result, an unauthenticated attacker can exhaust the server's memory with just a single connection, causing the BEAM virtual machine to crash.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by allowing an attacker to exhaust the server's memory resources.

Because the server crashes when memory is exhausted, legitimate users will be unable to access the service until it is restarted or recovered.

The attack requires no authentication and can be executed with a single connection, making it easy to exploit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48854. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart