CVE-2026-53423
Received Received - Intake
Denial-of-service via atom table exhaustion in Membrane MP4 Plugin

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: EEF

Description
Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion. The MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it. This issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-53423
EUVD
EUVD-2026-36235
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
membraneframework membrane_mp4_plugin From 0.3.0 (inc) to 0.36.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53423 is a vulnerability in the membrane_mp4_plugin for Erlang that allows an unauthenticated denial-of-service attack by exhausting the BEAM atom table.

The MP4 box header parser converts each 4-byte box name into a BEAM atom using String.to_atom/1 without validating the input. Since BEAM atoms are never garbage-collected, each unique attacker-controlled box name permanently consumes an atom.

An attacker can craft an MP4 file containing about 1.1 million boxes with distinct non-standard names, which exhausts the atom table (default limit around 1,048,576 atoms). This causes the entire BEAM node to crash, taking down all applications running on it.

Impact Analysis

This vulnerability can cause a denial-of-service condition by crashing the entire BEAM node that runs the membrane_mp4_plugin.

Because the atom table is exhausted, all Erlang/Elixir applications running on the same node will be aborted, leading to service disruption and downtime.

Exploitation requires no authentication or user interaction beyond delivering a malicious MP4 file to the parser, making it relatively easy for attackers to trigger.

Detection Guidance

This vulnerability involves exhaustion of the BEAM atom table caused by parsing MP4 files with many unique 4-byte box names converted to atoms without validation.

Detection can focus on monitoring the BEAM node for crashes or abnormal resource usage related to atom table exhaustion.

Since the issue arises from processing crafted MP4 files, inspecting incoming MP4 files for an unusually high number of unique box headers or malformed box names may help.

Specific commands are not provided in the resources, but general approaches include:

  • Monitoring BEAM VM logs for crashes or errors related to atom table limits.
  • Using Erlang shell commands to check atom table usage, e.g., `erlang:system_info(atom_count).` to monitor the current number of atoms.
  • Analyzing MP4 files before processing to count unique box names or validate box headers to detect suspicious files.
Mitigation Strategies

The primary mitigation is to upgrade the membrane_mp4_plugin to version 0.36.7 or later, where the vulnerability is fixed.

The fix replaces unsafe atom creation with `String.to_existing_atom/1`, preventing new atoms from being created for unrecognized box names and instead treating them as :unknown.

Until the upgrade is applied, avoid processing untrusted or malformed MP4 files that could contain many unique box names.

Additionally, monitoring the BEAM node for atom table usage and crashes can help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53423. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart