Uncontrolled Resource Consumption and Deserialization Vulnerability in Hexpm Products
CVE-2026-21619

2LOW

Key Information:

Vendor: Hexpm
Status: Hex Core; Hex; Rebar3
Vendor: CVE Published:; 27 February 2026

What is CVE-2026-21619?

This vulnerability affects Hexpm's hex_core and rebar3 products, allowing for uncontrolled resource consumption and the potential for object injection due to deserialization of untrusted data. The vulnerability can lead to excessive resource allocation through specific API modules, compromising system stability and performance. Users are encouraged to update their installations to the patched versions to mitigate these risks.

Affected Version(s)

hex 314546ac432229518714cc8e3336e916b9da6305 < 636739f3322514e9303ca335fb630696fcbb3c95

hex 2.3.0 < 2.3.2

hex_core eb327f8edfe45507351e38cc0805aa12fa647f0b

References

https://github.com/hexpm/hex_core/security/advisories/GHS...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-21619.html

https://osv.dev/vulnerability/EEF-CVE-2026-21619

CVSS V4

Score:

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 27, 2026
Vulnerability Reserved
Jan 1, 2026

Credit

Michael Lubas / Paraxial.ia

Jonatan Männchen / EEF

Eric Meadows-Jönsson / Hex.pm

CVE-2026-21619 Data

JSON