CVE-2026-53430
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: EEF

Description
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines 'Elixir.GRPC.Compressor.Gzip':decompress/1, 'Elixir.GRPC.Message':from_data/2. 'Elixir.GRPC.Compressor.Gzip':decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill. This issue affects grpc: from 0.4.0 before 1.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-53430
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elixir grpc From 0.4.0 (inc) to 1.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an improper handling of highly compressed data (data amplification) in the elixir-grpc grpc library, specifically in the GRPC.Compressor.Gzip and GRPC.Message modules. It allows a denial of service attack via a gzip decompression bomb.

The issue arises because the decompress/1 function calls :zlib.gunzip/1 directly on attacker-controlled compressed data without any limit on decompressed size, ratio checks, or incremental decoding. This means a small compressed payload can expand to multiple gigabytes in memory.

Since the max_receive_message_length limit is only checked after decompression, it does not prevent this attack. An unauthenticated remote attacker can send a single crafted frame with the grpc-encoding: gzip header to exhaust the server's memory and cause an out-of-memory crash.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by exhausting the memory of the BEAM node running the elixir-grpc grpc service.

An attacker can send a specially crafted compressed message that decompresses into a very large payload, causing the server to allocate excessive memory and potentially crash or become unresponsive.

Because the attack requires no authentication, it can be triggered remotely by any unauthenticated user, making systems using affected versions vulnerable to disruption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart