CVE-2026-49762
Deferred Deferred - Pending Action
Uncontrolled Resource Consumption in Elixir Version Module

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: EEF

Description
Uncontrolled Resource Consumption vulnerability in the Elixir standard library's Version module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion. The version parser converts numeric version components (major, minor, patch and numeric pre-release/build identifiers) to integers without bounding their length. A single large all-digit component therefore forces a super-linear, non-yielding base-10 to arbitrary-precision integer conversion (String.to_integer/1, i.e. :erlang.binary_to_integer/1) that pins a BEAM scheduler, and a larger component raises an uncaught SystemLimitError that crashes the calling process. A single moderately sized string (around one megabyte) is enough; no authentication is required. This is reachable from the public entry points Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, which applications routinely call on untrusted input such as HTTP parameters, dependency-manifest fields, and package metadata. This vulnerability is associated with program files lib/version.ex and program routines 'Elixir.Version.Parser':parse_digits/2. This issue affects Elixir: from 1.5.0 before 1.20.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-49762
EUVD
EUVD-2026-35439
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
elixir-lang elixir From 1.5.0 (inc) to 1.20.1 (exc)
elixir elixir From 1.5.0 (inc) to 1.20.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49762 is an uncontrolled resource consumption vulnerability in the Elixir standard library's Version module. It occurs because the version parser converts numeric version components to integers without limiting their length. An attacker can supply a version string with an excessively large numeric component, causing a super-linear, non-yielding base-10 to arbitrary-precision integer conversion that exhausts CPU and memory resources.

This leads to a denial of service by pinning a BEAM scheduler or crashing the calling process with a SystemLimitError. The vulnerability can be triggered by unauthenticated attackers through public functions like Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, which often process untrusted input such as HTTP parameters or package metadata.

Impact Analysis

This vulnerability can cause denial of service (DoS) conditions by exhausting CPU and memory resources on systems running vulnerable versions of Elixir (1.5.0 up to but not including 1.20.1).

An attacker can trigger this by providing a specially crafted version string with a large numeric component, which can pin a BEAM scheduler or crash the process, potentially making applications or services unavailable.

No authentication or privileges are required to exploit this vulnerability, making it a risk especially for applications that parse untrusted version inputs from sources like HTTP parameters or package metadata.

Detection Guidance

This vulnerability arises when untrusted version strings with excessively large numeric components are processed by Elixir's Version module functions such as Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1.

To detect exploitation attempts or presence of this vulnerability, monitor for unusually high CPU and memory usage by BEAM scheduler processes, especially when handling version strings or dependency metadata.

Since the vulnerability is triggered by large numeric version components, you can search logs or inputs for version strings with very long numeric parts (e.g., strings around one megabyte or large digit sequences).

Suggested commands include:

  • Use system monitoring tools like `top`, `htop`, or `ps` to identify BEAM processes with high CPU or memory usage.
  • Search application logs or input data for suspiciously large version strings using commands like `grep -E '\d{100,}' <logfile>` to find numeric sequences of 100 or more digits.
  • If you have access to Elixir code or runtime, add instrumentation or logging around calls to Version module functions to detect unusually large inputs.
Mitigation Strategies

The primary mitigation is to upgrade Elixir to version 1.20.1 or later, where the vulnerability is fixed by limiting numeric version components to 14 bytes.

If upgrading immediately is not possible, implement input validation to restrict the length of version strings and their numeric components before passing them to the Version module functions.

  • Enforce a maximum length on version strings, for example, limiting them to 64 bytes as recommended.
  • Reject or sanitize version strings containing excessively long numeric components.

Additionally, monitor system resource usage to detect potential exploitation attempts and consider rate-limiting or authentication on inputs that provide version strings.

Compliance Impact

The vulnerability causes uncontrolled resource consumption leading to denial of service through CPU and memory exhaustion. This primarily impacts system availability.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, denial of service vulnerabilities can indirectly affect compliance by disrupting availability requirements mandated by such regulations.

However, since this vulnerability does not involve unauthorized data access or data breaches, its direct impact on data protection regulations is limited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49762. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart