CVE-2026-32686: CWE-400 Uncontrolled Resource Consumption in ericmj decimal
Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM. Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash. This issue affects decimal: from 0.1.0 before 3.0.0.
AI Analysis
Technical Summary
The ericmj decimal library improperly handles decimal inputs with very large exponents by not bounding the exponent size during parsing. This allows an attacker to supply a decimal value such as "1e1000000000" which is accepted without error. Subsequent operations like addition, subtraction, division, rounding, integer conversion, string formatting, or comparison allocate memory proportional to the exponent, leading to uncontrolled resource consumption. This can cause the BEAM virtual machine to run out of memory and crash, resulting in a denial of service. The issue affects versions from 0.1.0 up to but not including 3.0.0.
Potential Impact
An unauthenticated remote attacker can cause a denial of service by sending a decimal value with an extremely large exponent to an application using the vulnerable decimal library. This triggers excessive memory allocation during arithmetic or conversion operations, exhausting system memory and crashing the BEAM VM. No code execution or data leakage is described. The impact is limited to availability disruption.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid accepting or processing untrusted decimal inputs with large exponents. Implement input validation to reject decimal values with excessively large exponents before they reach the vulnerable library functions.
CVE-2026-32686: CWE-400 Uncontrolled Resource Consumption in ericmj decimal
Description
Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM. Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash. This issue affects decimal: from 0.1.0 before 3.0.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ericmj decimal library improperly handles decimal inputs with very large exponents by not bounding the exponent size during parsing. This allows an attacker to supply a decimal value such as "1e1000000000" which is accepted without error. Subsequent operations like addition, subtraction, division, rounding, integer conversion, string formatting, or comparison allocate memory proportional to the exponent, leading to uncontrolled resource consumption. This can cause the BEAM virtual machine to run out of memory and crash, resulting in a denial of service. The issue affects versions from 0.1.0 up to but not including 3.0.0.
Potential Impact
An unauthenticated remote attacker can cause a denial of service by sending a decimal value with an extremely large exponent to an application using the vulnerable decimal library. This triggers excessive memory allocation during arithmetic or conversion operations, exhausting system memory and crashing the BEAM VM. No code execution or data leakage is described. The impact is limited to availability disruption.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid accepting or processing untrusted decimal inputs with large exponents. Implement input validation to reject decimal values with excessively large exponents before they reach the vulnerable library functions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-03-13T09:12:14.474Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fca37ecbff5d8610fd578b
Added to database: 5/7/2026, 2:36:46 PM
Last enriched: 5/7/2026, 2:53:28 PM
Last updated: 5/8/2026, 10:57:14 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.