Hexpm · Decimal · CVE-2026-32686
**Name of the Vulnerable Software and Affected Versions**
ericmj decimal versions 0.1.0 through 2.x
**Description**
Uncontrolled Resource Consumption allows unauthenticated remote Denial of Service. The library does not bound the exponent on parsed input, meaning a decimal with an excessively large exponent can be stored without error. Subsequent calls to functions such as `Decimal.add/2`, `Decimal.sub/2`, `Decimal.div/2`, `Decimal.to integer/1`, `Decimal.round/3`, `Decimal.compare/3` with a threshold, or `Decimal.to string/2` using :normal or :xsd formats allocate memory proportional to the exponent value. This can exhaust available memory and crash the BEAM VM (the Erlang Virtual Machine). Any application accepting user-supplied decimal input for arithmetic, rounding, integer conversion, or string formatting is exposed, as a single malicious request can cause an out-of-memory crash.
**Recommendations**
Update to version 3.0.0 or later.