Skip to main content

Membrane Mp4 Plugin

1 CVEs product

Monthly

CVE-2026-53423 MEDIUM PATCH This Month

BEAM atom table exhaustion in Elixir's membrane_mp4_plugin (versions 0.3.0-0.36.6) allows denial-of-service by submitting a crafted MP4 file to any application using the library's container parser. The parser passed attacker-controlled 4-byte MP4 box names to String.to_atom/1 without validation; because BEAM atoms are permanent allocations counted against a hard ceiling (~1,048,576 by default), an ~8 MB file with ~1.1 million distinct non-standard box names exhausts the table and aborts the entire BEAM node, collaterally terminating every application co-hosted on that node. No public exploit has been identified at time of analysis; vendor-released patch 0.36.7 resolves the issue.

Denial Of Service Membrane Mp4 Plugin
NVD GitHub
CVSS 4.0
5.9
EPSS
0.0%
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

BEAM atom table exhaustion in Elixir's membrane_mp4_plugin (versions 0.3.0-0.36.6) allows denial-of-service by submitting a crafted MP4 file to any application using the library's container parser. The parser passed attacker-controlled 4-byte MP4 box names to String.to_atom/1 without validation; because BEAM atoms are permanent allocations counted against a hard ceiling (~1,048,576 by default), an ~8 MB file with ~1.1 million distinct non-standard box names exhausts the table and aborts the entire BEAM node, collaterally terminating every application co-hosted on that node. No public exploit has been identified at time of analysis; vendor-released patch 0.36.7 resolves the issue.

Denial Of Service Membrane Mp4 Plugin
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy