PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48854 elixir-grpc CVE debrief

CVE-2026-48854 is an Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc. This vulnerability allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. The issue arises from 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulating every received chunk into a single growing binary with no size cap. Furthermore, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node. This issue affects grpc from 0.3.1 before 1.0.0.

Vendor
elixir-grpc
Product
grpc
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-15
Original CVE updated
2026-06-16
Advisory published
2026-06-15
Advisory updated
2026-06-16

Who should care

Users of elixir-grpc grpc from version 0.3.1 before 1.0.0 should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The vulnerability is caused by the accumulation of received chunks into a single growing binary with no size cap in 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3. Additionally, the per-chunk read timeout resolves to :infinity when the client omits the grpc-timeout header, allowing a slow-trickle client to keep the connection alive indefinitely.

Defensive priority

HIGH

Recommended defensive actions

  • Update to version 1.0.0 or later of elixir-grpc grpc.
  • Implement proper resource limits and throttling for grpc requests.

Evidence notes

The CVE-2026-48854 record was sourced from NVD.

Official resources

CVE-2026-48854 was published on 2026-06-15T23:16:45.813Z.