Deserialization and Resource Exhaustion Vulnerability in elixir-grpc by Elixir
CVE-2026-48853

9.2CRITICAL

Key Information:

Vendor: Elixir-grpc
Status: Grpc
Vendor: CVE Published:; 15 June 2026

🔔 Create Elixir-grpc Vulnerability Alert

What is CVE-2026-48853?

The elixir-grpc library is susceptible to deserialization of untrusted data and resource exhaustion vulnerabilities, enabling unauthenticated attackers to potentially crash the BEAM node. Attackers can exploit the lack of size bound and type guard in the decoding process of gRPC messages, which employs the binary_to_term function without safe options. By sending a specially crafted payload, attackers can create new atoms, capable of exhausting the bounded atom table, leading to a crash of the VM. Additionally, if the crafted payload encodes executable code, it may result in remote code execution within the server process. This vulnerability affects elixir-grpc versions from 0.4.0 up to but not including 1.0.0.

Affected Version(s)

grpc 0.4.0 < 1.0.0

grpc 25bcc569fe2cc4478531a6c546c923205fc751c9 < 272a97a5ea1b46af1819f14a831fcf35fc91f992

References

https://github.com/elixir-grpc/grpc/security/advisories/G...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-48853.html

https://osv.dev/vulnerability/EEF-CVE-2026-48853

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
May 25, 2026

Credit

Peter Ullrich

Paulo Valente

Jonatan Männchen

CVE-2026-48853 Data

JSON