Membrane Mp4 Plugin
Monthly
BEAM atom table exhaustion in Elixir's membrane_mp4_plugin (versions 0.3.0-0.36.6) allows denial-of-service by submitting a crafted MP4 file to any application using the library's container parser. The parser passed attacker-controlled 4-byte MP4 box names to String.to_atom/1 without validation; because BEAM atoms are permanent allocations counted against a hard ceiling (~1,048,576 by default), an ~8 MB file with ~1.1 million distinct non-standard box names exhausts the table and aborts the entire BEAM node, collaterally terminating every application co-hosted on that node. No public exploit has been identified at time of analysis; vendor-released patch 0.36.7 resolves the issue.
BEAM atom table exhaustion in Elixir's membrane_mp4_plugin (versions 0.3.0-0.36.6) allows denial-of-service by submitting a crafted MP4 file to any application using the library's container parser. The parser passed attacker-controlled 4-byte MP4 box names to String.to_atom/1 without validation; because BEAM atoms are permanent allocations counted against a hard ceiling (~1,048,576 by default), an ~8 MB file with ~1.1 million distinct non-standard box names exhausts the table and aborts the entire BEAM node, collaterally terminating every application co-hosted on that node. No public exploit has been identified at time of analysis; vendor-released patch 0.36.7 resolves the issue.