CVE-2026-49762: CWE-400 Uncontrolled Resource Consumption in elixir-lang elixir
CVE-2026-49762 is a medium severity vulnerability in the Elixir standard library's Version module affecting versions from 1. 5. 0 up to but not including 1. 20. 1. It allows an attacker who controls a version string to cause denial of service by exhausting CPU and memory resources. The vulnerability arises because the version parser converts numeric components of version strings to integers without limiting their length, enabling super-linear processing and potential process crashes. This can be triggered without authentication via public API functions that parse untrusted version strings.
AI Analysis
Technical Summary
This vulnerability in Elixir's Version module (lib/version.ex, Elixir.Version.Parser:parse_digits/2) involves uncontrolled resource consumption (CWE-400) when parsing numeric version components. The parser converts these components to integers without bounding their length, causing excessive CPU and memory use due to super-linear arbitrary-precision integer conversion. Large numeric components in version strings can pin a BEAM scheduler or cause a SystemLimitError that crashes the process. The issue affects Elixir versions from 1.5.0 before 1.20.1 and is reachable via public functions such as Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, which are commonly called on untrusted input.
Potential Impact
An attacker able to supply a crafted version string can cause denial of service by exhausting CPU and memory resources of the Elixir runtime, potentially crashing processes or degrading system performance. No authentication is required to trigger this vulnerability. This can disrupt applications that parse untrusted version strings, such as those processing HTTP parameters or dependency manifests.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid parsing untrusted version strings or implement input validation to limit the length and format of numeric version components to prevent excessive resource consumption.
CVE-2026-49762: CWE-400 Uncontrolled Resource Consumption in elixir-lang elixir
Description
CVE-2026-49762 is a medium severity vulnerability in the Elixir standard library's Version module affecting versions from 1. 5. 0 up to but not including 1. 20. 1. It allows an attacker who controls a version string to cause denial of service by exhausting CPU and memory resources. The vulnerability arises because the version parser converts numeric components of version strings to integers without limiting their length, enabling super-linear processing and potential process crashes. This can be triggered without authentication via public API functions that parse untrusted version strings.
CVSS v4.0
Score 5.1medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Elixir's Version module (lib/version.ex, Elixir.Version.Parser:parse_digits/2) involves uncontrolled resource consumption (CWE-400) when parsing numeric version components. The parser converts these components to integers without bounding their length, causing excessive CPU and memory use due to super-linear arbitrary-precision integer conversion. Large numeric components in version strings can pin a BEAM scheduler or cause a SystemLimitError that crashes the process. The issue affects Elixir versions from 1.5.0 before 1.20.1 and is reachable via public functions such as Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, which are commonly called on untrusted input.
Potential Impact
An attacker able to supply a crafted version string can cause denial of service by exhausting CPU and memory resources of the Elixir runtime, potentially crashing processes or degrading system performance. No authentication is required to trigger this vulnerability. This can disrupt applications that parse untrusted version strings, such as those processing HTTP parameters or dependency manifests.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid parsing untrusted version strings or implement input validation to limit the length and format of numeric version components to prevent excessive resource consumption.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-06-01T13:45:22.449Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2830838dd33fbd854ac48d
Added to database: 6/9/2026, 3:25:55 PM
Last enriched: 6/9/2026, 3:41:24 PM
Last updated: 6/9/2026, 4:28:52 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.