Łukasz Kita

**Name of the Vulnerable Software and Affected Versions** membrane mp4 plugin versions 0.3.0 through 0.36.6 **Description** An unauthenticated denial-of-service can occur via BEAM atom table exhaustion. The MP4 box header parser converts 4-byte box names to atoms using the `String.to atom/1` function without validation. Specifically, the `parse box name/1` function in `lib/membrane mp4/container/header.ex` interns every box name encountered while the `parse/1` function processes the input. Since BEAM atoms are not garbage-collected, each unique attacker-controlled name results in a permanent allocation. A crafted MP4 file of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names can exhaust the atom table, which has a default ceiling of around 1,048,576 atoms, causing the entire BEAM node and all running applications to abort. **Recommendations** Update membrane mp4 plugin to version 0.36.7.