PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53423 membraneframework CVE debrief

CVE-2026-53423 is a medium-severity vulnerability in the membraneframework membrane_mp4_plugin. The vulnerability allows unauthenticated attackers to cause a denial-of-service (DoS) by exhausting the BEAM atom table. This occurs because the MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation, leading to permanent allocation of unique attacker-controlled 4-byte names. A crafted MP4 file of approximately 8 MB with around 1.1 million boxes with distinct non-standard names can exhaust the atom table, aborting the entire BEAM node and taking down all applications running on it. The vulnerability affects membrane_mp4_plugin versions from 0.3.0 before 0.36.7.

Vendor
membraneframework
Product
membrane_mp4_plugin
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-11
Original CVE updated
2026-06-11
Advisory published
2026-06-11
Advisory updated
2026-06-11

Who should care

Users of membraneframework membrane_mp4_plugin, particularly those using versions between 0.3.0 and 0.36.7, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by the lack of validation in the MP4 box header parser, which converts 4-byte box names to atoms without checking for uniqueness or limits. This leads to a permanent allocation of atoms, which can exhaust the atom table and cause a DoS.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update membrane_mp4_plugin to version 0.36.7 or later.
  • Limit the number of unique box names in MP4 files to prevent atom table exhaustion.
  • Monitor for suspicious MP4 files and implement validation for box names.

Evidence notes

The vulnerability was reported by an unknown vendor and has a CVSS score of 5.9. The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively.

Official resources

CVE-2026-53423 was published on 2026-06-11T12:16:31.810Z and modified on 2026-06-11T15:35:37.873Z.