CVE-2026-32148: CWE-354 Improper Validation of Integrity Check Value in hexpm hex
CVE-2026-32148 is a high-severity vulnerability in hexpm hex affecting versions from 0.16.0 before 2.4.2. It involves improper validation of dependency integrity checks due to a type mismatch in the verification logic, causing checksum verification to be skipped silently. This allows an attacker who can influence cached packages or a compromised registry to inject modified dependencies without detection. The mix.lock file is overwritten with attacker-controlled checksum values, erasing evidence of tampering. No official patch or remediation guidance is currently confirmed.
AI Analysis
Technical Summary
The vulnerability in hexpm hex arises because the Hex.RemoteConverger.verify_resolved/2 function fails to verify dependency checksums properly. This occurs because the lock data uses string-based dependency names, while the verification compares atom-based names, resulting in the verification code path being skipped. Although initial package downloads validate checksums, mismatches between the lockfile and resolved dependencies are not detected, enabling integrity bypass. An attacker able to manipulate cached packages or a compromised registry can supply altered dependency contents that are accepted without detection, and the mix.lock file is silently rewritten with these attacker-supplied checksum values.
Potential Impact
An attacker with the ability to influence cached packages or a compromised package registry can bypass dependency integrity checks, potentially causing the build system to accept and use tampered dependencies without detection. This undermines the trustworthiness of builds relying on hexpm hex, potentially leading to the execution of malicious code or compromised software supply chains. The silent rewriting of the mix.lock file removes evidence of tampering, complicating detection and forensic analysis.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution when using cached packages or registries that might be untrusted or compromised. Avoid using untrusted package sources and consider validating dependencies through alternative means if possible.
CVE-2026-32148: CWE-354 Improper Validation of Integrity Check Value in hexpm hex
Description
CVE-2026-32148 is a high-severity vulnerability in hexpm hex affecting versions from 0.16.0 before 2.4.2. It involves improper validation of dependency integrity checks due to a type mismatch in the verification logic, causing checksum verification to be skipped silently. This allows an attacker who can influence cached packages or a compromised registry to inject modified dependencies without detection. The mix.lock file is overwritten with attacker-controlled checksum values, erasing evidence of tampering. No official patch or remediation guidance is currently confirmed.
CVSS v4.0
Score 8.9high
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in hexpm hex arises because the Hex.RemoteConverger.verify_resolved/2 function fails to verify dependency checksums properly. This occurs because the lock data uses string-based dependency names, while the verification compares atom-based names, resulting in the verification code path being skipped. Although initial package downloads validate checksums, mismatches between the lockfile and resolved dependencies are not detected, enabling integrity bypass. An attacker able to manipulate cached packages or a compromised registry can supply altered dependency contents that are accepted without detection, and the mix.lock file is silently rewritten with these attacker-supplied checksum values.
Potential Impact
An attacker with the ability to influence cached packages or a compromised package registry can bypass dependency integrity checks, potentially causing the build system to accept and use tampered dependencies without detection. This undermines the trustworthiness of builds relying on hexpm hex, potentially leading to the execution of malicious code or compromised software supply chains. The silent rewriting of the mix.lock file removes evidence of tampering, complicating detection and forensic analysis.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution when using cached packages or registries that might be untrusted or compromised. Avoid using untrusted package sources and consider validating dependencies through alternative means if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-03-10T22:37:29.213Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f3a4adcbff5d861069680c
Added to database: 4/30/2026, 6:51:25 PM
Last enriched: 5/8/2026, 2:18:09 AM
Last updated: 6/15/2026, 3:20:22 AM
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.