HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48853Published Modified CNA EEF

CVE-2026-48853: Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc

Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server. 'Elixir.GRPC.Codec.Erlpack':decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type guard. Any unauthenticated peer that sends a request with Content-Type: application/grpc+erlpack can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process. This issue affects grpc from 0.4.0 before 1.0.0.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
1.0.0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an unsafe deserialization vulnerability in the elixir-grpc/grpc library, affecting versions 0.4.0 through 1.0.0. The flaw is reachable over the network by any unauthenticated peer that sends a gRPC request using the erlpack content type, requiring no login or special access. Successful exploitation lets an attacker crash the Erlang VM by exhausting the atom table, and in cases where the decoded term reaches a call site that applies it, execute arbitrary code inside the server process. A patched-image rebuild at version 1.0.0 (commit 272a97a5ea1b46af1819f14a831fcf35fc91f992) is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-48853 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all container images in customer registries and CI pipelines, including custom-built images that bundle elixir-grpc/grpc in the 0.4.0-to-1.0.0 range.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 severity of 9.2 (CRITICAL) and weighting that score against each environment's compliance policy to determine priority. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild pinned to elixir-grpc/grpc 1.0.0 (commit 272a97a5ea1b46af1819f14a831fcf35fc91f992) becomes available in HarborGuard as soon as the affected image is identified. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs the regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable decode path is exposed over the network: any peer that can reach the gRPC port can send a crafted erlpack payload without needing a local foothold.

  • AuthenticationNot required

    No credentials or session token are required; the attack is executable by any unauthenticated client that can open a gRPC connection.

  • Victim interactionNot required

    The vulnerability is triggered entirely by the attacker's inbound request; no user action or click is involved.

  • Attack complexityDetail

    The base exploit path (atom table exhaustion) is reliable and condition-free, though achieving code execution additionally requires the decoded term to flow into a downstream call site, which the CVSS AT:P token reflects as an attack-target precondition.

Blast Radius

  • An attacker crashes the BEAM VM by flooding the bounded atom table with newly minted atoms, taking down the entire Erlang node and all services it hosts.
  • Where a deserialized fun term reaches a downstream call site, the attacker executes arbitrary code inside the server process with the privileges of the running application.
  • All data accessible to the server process, including in-memory state, credentials, and any secrets loaded at runtime, is readable by the attacker after code execution.
  • The attacker can modify or delete any data the server process can write, including persisted records and downstream service calls made from the compromised process.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication and applies to every image in a customer registry or CI pipeline that packages elixir-grpc/grpc in the affected version range. For environments where the compliance policy permits auto-remediation, HarborGuard rebuilds the image at the patched version (1.0.0, commit 272a97a5ea1b46af1819f14a831fcf35fc91f992), runs a regression pass, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments that require manual approval, the rebuilt image is staged and the pull request is held for reviewer sign-off. Because the vulnerable surface is the erlpack codec specifically, network-policy controls that restrict which peers can reach the gRPC port serve as a useful compensating control while patch deployment is in progress.

See how HarborGuard automates this

Fix available

1.0.0272a97a5ea1b46af1819f14a831fcf35fc91f992
Patch commits
Affected packages
  • elixir-grpc / grpc
    < 1.0.0 (from 0.4.0)
  • elixir-grpc / grpc
    < 272a97a5ea1b46af1819f14a831fcf35fc91f992 (from 25bcc569fe2cc4478531a6c546c923205fc751c9)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References