HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48854Published Modified CNA EEF

CVE-2026-48854: Unbounded request body accumulation causes memory exhaustion in elixir-grpc/grpc

Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node. This issue affects grpc from 0.3.1 before 1.0.0.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
1.0.0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unbounded resource allocation flaw in elixir-grpc/grpc (versions 0.3.1 through 0.9.x) allows an unauthenticated remote attacker to exhaust all available BEAM virtual machine memory and crash the server. The vulnerable read_full_body/3 function accumulates incoming request chunks into a single growing binary with no size cap, and when the client omits the grpc-timeout header the chunk-read timeout becomes infinite, letting a slow-trickle connection hold the server open indefinitely. Successful exploitation of a single connection crashes the gRPC node, causing a full service outage. A patched-image rebuild at version 1.0.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-48854 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream advisory feeds, covering both third-party base images and custom-built images that bundle elixir-grpc/grpc. Any image containing a grpc package version from 0.3.1 before 1.0.0 is flagged automatically.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v4.0 score of 8.7 (HIGH) and applies per-environment compliance policy weighting to prioritize alerting, routing findings to the appropriate team inbox within each customer organization based on configured severity thresholds and ownership mappings.

Available
Patch

A patched-image rebuild pinned to elixir-grpc/grpc version 1.0.0 (commit 49e18c3ec6bb9afe2f712caad3dbab5c56a68a00) becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the gRPC service over the network; no prior foothold on the host is needed.

  • AuthenticationNot required

    The vulnerability is exploitable without any credentials; an unauthenticated client connection is sufficient to begin accumulating memory.

  • Victim interactionNot required

    No user action or administrator interaction is required; the attacker initiates the exploit entirely by opening a single gRPC connection.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker only needs to stream a large or slow-trickle request body, with no race conditions or environmental factors to navigate.

Blast Radius

  • Crashes the BEAM virtual machine node, taking down the entire gRPC server process and all requests in flight.
  • Makes the service completely unavailable until the node is restarted, with recovery dependent on external process supervision or orchestration restarts.
  • A single malicious connection is sufficient to trigger the crash, meaning even low-volume attackers can cause repeated outages with minimal effort.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-48854 activates immediately upon advisory ingestion, flagging any image that bundles elixir-grpc/grpc from version 0.3.1 before 1.0.0. Where compliance policy permits, a patched-image rebuild at version 1.0.0 is queued automatically. For customers who opt into auto-remediation, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes, covering the rebuild, regression run, and pull request opened against affected workloads. Customers who manage remediation manually can act on the finding routed to their inbox, referencing the fix version and commit hash (49e18c3ec6bb9afe2f712caad3dbab5c56a68a00) provided in the CVE record. Until a patched image is deployed, a compensating control worth considering is placing the gRPC service behind a network policy or load-balancer rule that enforces a maximum request body size and connection timeout at the ingress layer, reducing the window for slow-trickle exhaustion attacks.

See how HarborGuard automates this

Fix available

1.0.049e18c3ec6bb9afe2f712caad3dbab5c56a68a00
Patch commits
Affected packages
  • elixir-grpc / grpc
    < 1.0.0 (from 0.3.1)
  • elixir-grpc / grpc
    < 49e18c3ec6bb9afe2f712caad3dbab5c56a68a00 (from d1abe70a6cad6dac4a3f8235d883d7c896989560)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References