Uncontrolled Resource Consumption in Decimal Library by Ericmj
CVE-2026-32686

6.9MEDIUM

Key Information:

Vendor: Ericmj
Status: Decimal
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-32686?

The Decimal library by Ericmj is affected by a vulnerability that allows unauthenticated remote Denial of Service due to uncontrolled resource consumption. Specifically, the library does not impose limits on the exponent in parsed decimal input. This enables the storage of exceedingly large exponents without any error feedback (e.g., Decimal.new("1e1000000000")). When arithmetic operations or conversions are subsequently performed using this unbounded input, memory allocation occurs in proportion to the exponent value. Consequently, this can result in exhausting available memory, potentially crashing the BEAM virtual machine. Applications enabling user-provided decimal input that performs arithmetic operations, rounding, conversion, or string formatting are particularly vulnerable, as a single malicious request can lead to an out-of-memory condition.

Affected Version(s)

decimal 0.1.0

decimal bc11f4a2b6fb61fc1360a0ab4e79141bba918841

References

https://github.com/ericmj/decimal/security/advisories/GHS...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-32686.html

https://osv.dev/vulnerability/EEF-CVE-2026-32686

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

Peter Ullrich

Eric Meadows-Jönsson

José Valim

Wojtek Mach

Jonatan Männchen

ruslandoga

Matthew Johnston

CVE-2026-32686 Data

JSON