CVE-2026-21619 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-502 (Deserialization of Untrusted Data) affecting the hexpm package management ecosystem, specifically the hex_core, hex, and rebar3 components. These components are widely used in the Erlang and Elixir programming environments for managing dependencies and packages. The vulnerability arises from improper handling of deserialized data in the API request functions hex_core:request/4, mix_hex_api:request/4, and r3_hex_api:request/4, which can lead to object injection and excessive memory allocation. This uncontrolled resource consumption can be triggered by sending crafted requests that exploit the deserialization process, causing the system to allocate excessive resources, potentially leading to denial-of-service (DoS) conditions. The affected versions include hex_core from 0.1.0 up to but not including 0.12.1, hex from 2.3.0 up to but not including 2.3.2, and rebar3 from 3.9.1 up to but not including 3.27.0. The vulnerability requires low privileges (partial authentication) and user interaction, but does not compromise confidentiality or integrity of data. The CVSS 4.0 score is 2.0, indicating low severity, primarily due to limited impact and exploitation complexity. No public exploits have been reported, but the vulnerability poses a risk to service availability in environments relying on these package managers.

The primary impact of CVE-2026-21619 is on the availability of systems using the affected hexpm components. By exploiting the deserialization flaw, attackers can cause excessive memory or CPU consumption, leading to degraded performance or denial-of-service conditions. This can disrupt development workflows, continuous integration pipelines, and package management operations in organizations relying on Erlang and Elixir ecosystems. While confidentiality and integrity are not directly affected, the operational disruption can have downstream effects on productivity and service reliability. Organizations with automated build systems or package repositories exposed to untrusted inputs are particularly vulnerable. The low CVSS score reflects the limited scope and complexity, but the risk increases in large-scale or critical infrastructure deployments where resource exhaustion can cascade into broader outages.

To mitigate this vulnerability, organizations should immediately upgrade to patched versions: hex_core 0.12.1 or later, hex 2.3.2 or later, and rebar3 3.27.0 or later. If upgrading is not immediately feasible, implement strict input validation and sanitization on all API endpoints handling package requests to prevent deserialization of untrusted data. Employ rate limiting and resource quotas on package management services to limit the impact of excessive allocation attempts. Monitor system resource usage closely for unusual spikes that may indicate exploitation attempts. Additionally, isolate package management infrastructure from untrusted networks and enforce strong authentication and authorization controls to reduce exposure. Regularly audit dependencies and update them promptly to incorporate security fixes. Finally, consider deploying runtime protections that detect and block abnormal memory or CPU consumption patterns related to deserialization processes.