CVE-2026-48854
Deferred Deferred - Pending Action

Allocation of Resources Without Limits or Throttling in Elixir.GRPC

Vulnerability report for CVE-2026-48854, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: EEF

Description

Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node. This issue affects grpc from 0.3.1 before 1.0.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
elixir grpc From 0.3.1 (inc) to 1.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the elixir-grpc grpc server where the function 'Elixir.GRPC.Server.Adapters.Cowboy.Handler:read_full_body/3' accumulates incoming request data into a single binary without any size limit.

If a client sends a large or slow-trickle unary request body, the server keeps accumulating data indefinitely because there is no cap on the size.

Additionally, if the client does not provide a grpc-timeout header, the read timeout for each chunk is set to infinity, allowing the client to keep the connection alive indefinitely while memory usage grows.

As a result, an unauthenticated attacker can exhaust the server's memory with just a single connection, causing the BEAM virtual machine to crash.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by allowing an attacker to exhaust the server's memory resources.

Because the server crashes when memory is exhausted, legitimate users will be unable to access the service until it is restarted or recovered.

The attack requires no authentication and can be executed with a single connection, making it easy to exploit.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high or growing memory usage on the server running elixir-grpc versions from 0.3.1 up to but not including 1.0.0, especially when handling unary gRPC requests.

A proof of concept involves streaming a large request body (e.g., 1 GiB) in chunks without the grpc-timeout header and observing proportional memory growth and potential server crashes.

To detect exploitation attempts on your system, you can monitor active connections to the gRPC server and check for long-lived connections without grpc-timeout headers or unusually slow data trickle.

  • Use system monitoring tools like `top`, `htop`, or `free -m` to observe memory usage spikes.
  • Use network monitoring tools like `netstat -anp | grep <grpc_server_port>` or `ss -tnp | grep <grpc_server_port>` to identify long-lived TCP connections.
  • Use packet capture tools like `tcpdump` or `wireshark` to analyze gRPC traffic for missing grpc-timeout headers or unusually slow request bodies.
Mitigation Strategies

Immediate mitigation involves upgrading the elixir-grpc library to version 1.0.0 or later, where the vulnerability has been fixed.

The fix includes limiting the maximum request body size (default 4 MB) and preventing infinite read timeouts by not overriding Cowboy's built-in read timeout with :infinity.

If upgrading immediately is not possible, consider implementing network-level protections such as rate limiting, connection timeouts, or filtering to prevent slow-trickle or large unary requests without grpc-timeout headers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48854. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart