CVE-2026-32686

Name of the Vulnerable Software and Affected Versions ericmj decimal versions 0.1.0 through 2.x

Description Uncontrolled Resource Consumption allows unauthenticated remote Denial of Service. The library does not bound the exponent on parsed input, meaning a decimal with an excessively large exponent can be stored without error. Subsequent calls to functions such as Decimal.add/2, Decimal.sub/2, Decimal.div/2, Decimal.to integer/1, Decimal.round/3, Decimal.compare/3 with a threshold, or Decimal.to string/2 using :normal or :xsd formats allocate memory proportional to the exponent value. This can exhaust available memory and crash the BEAM VM (the Erlang Virtual Machine). Any application accepting user-supplied decimal input for arithmetic, rounding, integer conversion, or string formatting is exposed, as a single malicious request can cause an out-of-memory crash.

Recommendations Update to version 3.0.0 or later.