CVE-2026-34593 is a vulnerability in the Ash Framework, a declarative and extensible framework for building Elixir applications. The flaw exists in the Ash.Type.Module.cast_input/2 function, which, prior to version 3.22.0, unconditionally creates new Erlang atoms by concatenating user-supplied binary strings that start with "Elixir." using Module.concat([value]). This creation occurs before verifying whether the referenced module actually exists. Erlang atoms are unique and stored in a fixed-size atom table within the BEAM virtual machine, which does not support garbage collection of atoms. The atom table has a hard limit of approximately 1,048,576 entries. An attacker who can supply arbitrary values to any resource attribute or argument of type :module can force the creation of a large number of unique atoms, rapidly exhausting the atom table. Once the atom table is full, the BEAM VM crashes, causing a denial-of-service (DoS) condition that takes down the entire application. This vulnerability is categorized under CWE-400 (Uncontrolled Resource Consumption). Exploitation requires no authentication or user interaction and can be performed remotely if the application exposes vulnerable endpoints. The vulnerability has been patched in Ash Framework version 3.22.0. No known exploits are currently reported in the wild. The CVSS 4.0 base score is 8.2, reflecting high severity due to network attack vector, low attack complexity, no privileges or user interaction required, and high impact on availability.

The primary impact of CVE-2026-34593 is a denial-of-service condition caused by exhaustion of the Erlang atom table, leading to a crash of the BEAM VM and the affected application. This can result in service outages, loss of availability, and disruption of business operations for organizations running vulnerable versions of the Ash Framework. Since Erlang atoms are not garbage-collected, the attack can be sustained or repeated to maintain denial of service. The vulnerability affects any Elixir application using Ash Framework versions prior to 3.22.0 that accepts user input for module-type attributes, potentially exposing a wide range of services including web applications, APIs, and backend services. The ease of exploitation (no authentication or user interaction required) increases the risk of automated attacks and large-scale disruption. Organizations relying on BEAM-based systems for critical infrastructure or high-availability services may face significant operational and reputational damage if exploited. Although no known exploits are reported, the vulnerability's characteristics make it a prime target for attackers aiming to cause service outages.

To mitigate CVE-2026-34593, organizations should upgrade all Ash Framework instances to version 3.22.0 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement strict input validation and sanitization on any user-supplied data that could be interpreted as module names, especially those starting with "Elixir.". Limit or restrict the ability of untrusted users to submit values to resource attributes or arguments of type :module. Employ runtime monitoring to detect unusual spikes in atom table usage or BEAM VM crashes, enabling rapid incident response. Consider deploying application-layer rate limiting or web application firewalls (WAFs) to block or throttle suspicious requests targeting module-type inputs. Review application code to avoid dynamic atom creation from untrusted input where possible. Additionally, maintain up-to-date backups and ensure robust incident response plans are in place to recover quickly from potential denial-of-service events. Engage with the Ash Framework community and monitor security advisories for any further updates or exploit reports.