PatchSiren cyber security CVE debrief
CVE-2026-53430 elixir-grpc CVE debrief
CVE-2026-53430 is a HIGH severity vulnerability with a CVSS score of 8.7. The vulnerability affects the elixir-grpc grpc package, specifically versions from 0.4.0 before 1.0.0. The vulnerability is caused by improper handling of highly compressed data, also known as a data amplification vulnerability. This occurs in the GRPC.Compressor.Gzip and GRPC.Message modules, specifically in the 'Elixir.GRPC.Compressor.Gzip':decompress/1 and 'Elixir.GRPC.Message':from_data/2 routines. The decompression bomb vulnerability allows for a denial of service via gzip decompression. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill.
- Vendor
- elixir-grpc
- Product
- grpc
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-16
Who should care
Users of elixir-grpc grpc package versions from 0.4.0 before 1.0.0 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability is caused by the 'Elixir.GRPC.Compressor.Gzip':decompress/1 function calling :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. This allows a small highly compressible payload to expand to multiple gigabytes inside a single call, exhausting the BEAM node's heap and triggering an out-of-memory kill.
Defensive priority
HIGH
Recommended defensive actions
- Update to version 1.0.0 or later of the elixir-grpc grpc package.
- Implement additional security measures to detect and prevent denial of service attacks.
Evidence notes
The CVE record and details can be found at [cve-org]. The NVD detail can be found at [nvd]. Additional information can be found at [ref-4], [ref-5], [ref-6], and [ref-7].
Official resources
-
CVE-2026-53430 CVE record
CVE.org
-
CVE-2026-53430 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVE-2026-53430 was published on 2026-06-15T23:16:46.363Z and has not been modified.