CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2026-48854

PENDING
N/A
CVSS Severity Score
EPSS Score0.0790%
EPSS Percentile20.99th
Published2026年6月15日
Last Modified2026年6月15日

Vulnerability Description

Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node. This issue affects grpc from 0.3.1 before 1.0.0.

Affected Platforms (CPE)

No CPE configurations currently published for this record.

References & Advisories

🔗 https://cna.erlef.org/cves/CVE-2026-48854.html
🔗 https://github.com/elixir-grpc/grpc/commit/49e18c3ec6bb9afe2f712caad3dbab5c56a68a00
🔗 https://github.com/elixir-grpc/grpc/security/advisories/GHSA-q8gf-9rvj-gmgj
🔗 https://osv.dev/vulnerability/EEF-CVE-2026-48854

相關漏洞威脅

CVE-2026-53430

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Mes...

CVE-2026-48853

Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc all...

CVE-2026-487237.8

The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36...

CVE-2026-48599

Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or mod...