CVE-2026-48854

UNKNOWN 0.0

Unbounded request body accumulation causes memory exhaustion in elixir-grpc/grpc

CVSS Score

0.0

EPSS Score

0.3%

EPSS Percentile

26th

Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node. This issue affects grpc from 0.3.1 before 1.0.0.

CWE	CWE-770
Vendor	elixir-grpc
Product	grpc
Published	Jun 15, 2026
Last Updated	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for elixir-grpc grpc

Be the first to know when new unknown vulnerabilities affecting elixir-grpc grpc are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

elixir-grpc / grpc

0.3.1 < 1.0.0

elixir-grpc / grpc

d1abe70a6cad6dac4a3f8235d883d7c896989560 < 49e18c3ec6bb9afe2f712caad3dbab5c56a68a00

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/elixir-grpc/grpc/security/advisories/GHSA-q8gf-9rvj-gmgj cna.erlef.org: https://cna.erlef.org/cves/CVE-2026-48854.html osv.dev: https://osv.dev/vulnerability/EEF-CVE-2026-48854 github.com: https://github.com/elixir-grpc/grpc/commit/49e18c3ec6bb9afe2f712caad3dbab5c56a68a00

Credits

Peter Ullrich Paulo Valente Jonatan Männchen