CVE-2026-53423: CWE-770 Allocation of Resources Without Limits or Throttling in membraneframework membrane_mp4_plugin
Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion. The MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it. This issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7.
AI Analysis
Technical Summary
CVE-2026-53423 is a CWE-770 vulnerability in the membrane_mp4_plugin of the membraneframework. The issue arises because the MP4 box header parser uses String.to_atom/1 on each 4-byte box name without validation, interning each unique box name as a BEAM atom. Since BEAM atoms are never garbage-collected, an attacker can craft an MP4 file containing approximately 1.1 million distinct box names, exhausting the atom table (default limit ~1,048,576 atoms). This leads to the BEAM node aborting and taking down all applications running on it. The vulnerability affects versions from 0.3.0 up to but excluding 0.36.7.
Potential Impact
Successful exploitation results in denial-of-service by exhausting the BEAM atom table, causing the entire BEAM node to abort. This disrupts all applications running on the affected node. The vulnerability requires local access (AV:L) and has a medium CVSS score of 5.9. No remote or network vector is indicated, and no privilege is required. There is no indication of confidentiality, integrity, or availability impact beyond denial-of-service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is indicated in the provided data. Until a patch is available, avoid processing untrusted MP4 files with membrane_mp4_plugin versions 0.3.0 through before 0.36.7. Monitor vendor communications for updates and apply official fixes once released.
CVE-2026-53423: CWE-770 Allocation of Resources Without Limits or Throttling in membraneframework membrane_mp4_plugin
Description
Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion. The MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it. This issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7.
CVSS v4.0
Score 5.9medium
Affected software
pkg:github/membraneframework/membrane_mp4_plugincpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-53423 is a CWE-770 vulnerability in the membrane_mp4_plugin of the membraneframework. The issue arises because the MP4 box header parser uses String.to_atom/1 on each 4-byte box name without validation, interning each unique box name as a BEAM atom. Since BEAM atoms are never garbage-collected, an attacker can craft an MP4 file containing approximately 1.1 million distinct box names, exhausting the atom table (default limit ~1,048,576 atoms). This leads to the BEAM node aborting and taking down all applications running on it. The vulnerability affects versions from 0.3.0 up to but excluding 0.36.7.
Potential Impact
Successful exploitation results in denial-of-service by exhausting the BEAM atom table, causing the entire BEAM node to abort. This disrupts all applications running on the affected node. The vulnerability requires local access (AV:L) and has a medium CVSS score of 5.9. No remote or network vector is indicated, and no privilege is required. There is no indication of confidentiality, integrity, or availability impact beyond denial-of-service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is indicated in the provided data. Until a patch is available, avoid processing untrusted MP4 files with membrane_mp4_plugin versions 0.3.0 through before 0.36.7. Monitor vendor communications for updates and apply official fixes once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-06-09T11:01:47.529Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2a9cff9fc46f59735d0251
Added to database: 6/11/2026, 11:33:19 AM
Last enriched: 6/11/2026, 11:48:23 AM
Last updated: 6/11/2026, 1:18:46 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.