Erlang Atom Flooding Vulnerability in Ash Framework by Ash Project
CVE-2026-34593

8.2HIGH

Key Information:

Vendor: Ash-project
Status: Ash
Vendor: CVE Published:; 2 April 2026

🔔 Create Ash-project Vulnerability Alert

What is CVE-2026-34593?

The Ash Framework, designed for building Elixir applications, exhibits a vulnerability where the method Ash.Type.Module.cast_input/2 generates new Erlang atoms from user-supplied binary strings that begin with 'Elixir.' without first checking for the existence of the specified module. This can lead to an attacker filling the atom table of the BEAM Virtual Machine, causing it to reach its limit and potentially crashing the application. The vulnerability was addressed in version 3.22.0.

Affected Version(s)

ash < 3.22.0

References

https://github.com/ash-project/ash/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/ash-project/ash/releases/tag/v3.22.0

x_refsource_MISC

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34593 Data

JSON