CVE-2026-48854

Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node. This issue affects grpc from 0.3.1 before 1.0.0.
CVSS

No CVSS.

Configurations

No configuration.

History

16 Jun 2026, 15:16

Type Values Removed Values Added
References () https://github.com/elixir-grpc/grpc/security/advisories/GHSA-q8gf-9rvj-gmgj - () https://github.com/elixir-grpc/grpc/security/advisories/GHSA-q8gf-9rvj-gmgj -

15 Jun 2026, 23:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-15 23:16

Updated : 2026-06-17 10:55


NVD link : CVE-2026-48854

Mitre link : CVE-2026-48854

CVE.ORG link : CVE-2026-48854


JSON object : View

Products Affected

No product.

CWE
CWE-770

Allocation of Resources Without Limits or Throttling