Description

Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM. Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash. This issue affects decimal: from 0.1.0 before 3.0.0.

INFO

Published Date :

2026-05-07T14:04:47.222Z

Last Modified :

2026-05-07T14:04:47.222Z

Source :

EEF
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32686 vulnerability.

Vendors Products
Ericmj
  • Decimal
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32686.

URL Resource
https://cna.erlef.org/cves/CVE-2026-32686.html cve-icon cve-icon
https://github.com/ericmj/decimal/commit/6a523f3a73b8c9974540e21c7aa88f1258bb35ae cve-icon cve-icon
https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v cve-icon cve-icon
https://osv.dev/vulnerability/EEF-CVE-2026-32686 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability