CVE-2026-34593: CWE-400: Uncontrolled Resource Consumption in ash-project ash
Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0.
AI Analysis
Technical Summary
Ash Framework before version 3.22.0 contains an uncontrolled resource consumption vulnerability (CWE-400) in the function Ash.Type.Module.cast_input/2. This function unconditionally creates new Erlang atoms from any user-supplied binary string starting with "Elixir." via Module.concat([value]) before checking if the module exists. Because the BEAM VM's atom table is limited in size and atoms are never garbage collected, an attacker can exhaust the atom table by submitting many such inputs to any resource attribute or argument of type :module. This leads to a crash of the BEAM VM and denial of service of the application. The vulnerability is tracked as CVE-2026-34593 with a CVSS 4.0 score of 8.2 (high severity). The issue is patched in Ash Framework version 3.22.0.
Potential Impact
An attacker able to submit crafted inputs to any resource attribute or argument of type :module can cause uncontrolled creation of Erlang atoms, exhausting the BEAM VM atom table. This results in a denial of service by crashing the entire BEAM VM and taking down the application. There is no indication of code execution or data leakage from the provided data.
Mitigation Recommendations
Upgrade to Ash Framework version 3.22.0 or later, where this vulnerability has been patched. No other mitigation is indicated or required according to the vendor advisory.
CVE-2026-34593: CWE-400: Uncontrolled Resource Consumption in ash-project ash
Description
Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Ash Framework before version 3.22.0 contains an uncontrolled resource consumption vulnerability (CWE-400) in the function Ash.Type.Module.cast_input/2. This function unconditionally creates new Erlang atoms from any user-supplied binary string starting with "Elixir." via Module.concat([value]) before checking if the module exists. Because the BEAM VM's atom table is limited in size and atoms are never garbage collected, an attacker can exhaust the atom table by submitting many such inputs to any resource attribute or argument of type :module. This leads to a crash of the BEAM VM and denial of service of the application. The vulnerability is tracked as CVE-2026-34593 with a CVSS 4.0 score of 8.2 (high severity). The issue is patched in Ash Framework version 3.22.0.
Potential Impact
An attacker able to submit crafted inputs to any resource attribute or argument of type :module can cause uncontrolled creation of Erlang atoms, exhausting the BEAM VM atom table. This results in a denial of service by crashing the entire BEAM VM and taking down the application. There is no indication of code execution or data leakage from the provided data.
Mitigation Recommendations
Upgrade to Ash Framework version 3.22.0 or later, where this vulnerability has been patched. No other mitigation is indicated or required according to the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T17:15:52.499Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69cead0fe6bfc5ba1df180ad
Added to database: 4/2/2026, 5:53:19 PM
Last enriched: 4/9/2026, 10:48:27 PM
Last updated: 5/20/2026, 8:52:25 PM
Views: 115
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.