DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32686: CVE-2026-32686: Unbounded Exponent Resource Exhaustion in ericmj/decimal

#security #cve #cybersecurity

CVE-2026-32686: Unbounded Exponent Resource Exhaustion in ericmj/decimal

Vulnerability ID: CVE-2026-32686
CVSS Score: 6.9
Published: 2026-05-12

The ericmj/decimal Elixir library suffers from an uncontrolled resource consumption vulnerability. Parsing decimal strings with exceptionally large exponents succeeds with minimal memory overhead, but subsequent arithmetic operations or string formatting attempts to materialize the expanded value. This exhausts BEAM Virtual Machine memory, causing an immediate denial of service.

TL;DR

Unbounded exponent parsing in ericmj/decimal allows remote attackers to crash the BEAM VM via OOM by supplying astronomical scientific notation values that trigger massive bignum allocations during arithmetic alignment.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400: Uncontrolled Resource Consumption
  • Attack Vector: Network (via crafted scientific notation payload)
  • CVSS v4.0: 6.9 (MEDIUM)
  • EPSS Score: 0.07%
  • Impact: High Availability (Denial of Service via OOM)
  • Exploit Status: Proof of Concept available
  • Patched Version: 3.0.0

Affected Systems

  • Elixir applications utilizing the ericmj/decimal package
  • Erlang BEAM Virtual Machine environments processing untrusted decimal inputs
  • decimal: >= 0.1.0, < 3.0.0 (Fixed in: 3.0.0)

Code Analysis

Commit: 6a523f3

Introduces mandatory default limits based on the IEEE 754 decimal128 standard to prevent unbounded bignum allocations during processing.

Mitigation Strategies

  • Upgrade ericmj/decimal dependency to version 3.0.0 or later.
  • Ensure Decimal.Context overrides do not set emax or emin to :infinity.
  • Implement application-level regex validation to reject scientific notation strings with exponents larger than 6000.

Remediation Steps:

  1. Modify the mix.exs file to update the dependency requirement: {:decimal, "~> 3.0"}.
  2. Run mix deps.get and mix deps.compile to fetch and compile the patched version.
  3. Audit the codebase for any manual instances of Decimal.Context.set/1 and ensure safe limits are maintained.
  4. Deploy the updated application build to production environments.

References

Read the full report for CVE-2026-32686 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)