Skip to main content

ericmj decimal EUVDEUVD-2026-28376

| CVE-2026-32686 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-07 EEF GHSA-rhv4-8758-jx7v
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Source Code Evidence Fetched
May 07, 2026 - 17:00 vuln.today
Analysis Generated
May 07, 2026 - 17:00 vuln.today
CVSS changed
May 07, 2026 - 15:22 NVD
6.9 (MEDIUM)
CVE Published
May 07, 2026 - 14:04 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 14:04 nvd
MEDIUM 6.9

DescriptionCVE.org

Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service.

The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM.

Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash.

This issue affects decimal: from 0.1.0 before 3.0.0.

AnalysisAI

Uncontrolled resource consumption in ericmj decimal library (versions 0.1.0 before 3.0.0) allows remote denial of service via maliciously crafted decimal values with extremely large exponents. When applications parse user-supplied decimal input and subsequently perform arithmetic operations, string formatting, rounding, or comparison, the library allocates memory proportional to the exponent magnitude without bounds, exhausting available memory and crashing the BEAM virtual machine. A single malicious request is sufficient to trigger an out-of-memory crash.

Technical ContextAI

The decimal library is an Elixir implementation for arbitrary-precision decimal arithmetic. The vulnerability exists in the parsing and arithmetic operations subsystems, which fail to enforce limits on exponent magnitude. CWE-400 (Uncontrolled Resource Consumption) identifies the root cause: the library accepts decimal strings with arbitrarily large exponents (e.g., '1e1000000000') without validation, and subsequent operations-including Decimal.add/2, Decimal.sub/2, Decimal.div/2, Decimal.to_string/2 with :normal or :xsd formats, Decimal.to_integer/1, Decimal.round/3, and Decimal.compare/3-allocate internal structures proportional to the exponent value. This creates a resource exhaustion condition where a single pathological input can consume all available heap memory. The fix (commit 6a523f3a73b8c9974540e21c7aa88f1258bb35ae) implements IEEE 754 decimal128 compliance with default exponent limits (emax=6144, emin=-6143, max_digits=34) enforced at parse time and output rendering, preventing materialization of pathological values.

RemediationAI

Vendor-released patch: upgrade to decimal version 3.0.0 or later, which enforces IEEE 754 decimal128 limits by default. The fix applies max_exponent validation (default 6144) at parse time and enforces max_digits limits (default 34 for parsing, 6178 for output) in Decimal.parse/1, Decimal.cast/1, and Decimal.to_string/2, rejecting pathological inputs before they consume memory. For applications unable to immediately upgrade, implement input validation before calling parse/2 or cast/2 by: (1) manually validating exponent magnitude-reject exponents with absolute value exceeding 6144 before parsing, or (2) calling Decimal.parse/2 or Decimal.cast/2 with explicit :max_exponent option set to a reasonable limit (e.g., 1000 for typical financial use cases). Also avoid calling Decimal.to_string/2 with :normal or :xsd formats on untrusted decimals without passing :max_digits option; use :scientific format instead as it expands output only logarithmically with exponent. Advisory: https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v

Share

EUVD-2026-28376 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy