CVE-2026-49762

Name of the Vulnerable Software and Affected Versions Elixir versions 1.5.0 through 1.20.0

Description Uncontrolled Resource Consumption in the standard library's Version module allows an attacker to cause a denial of service via CPU and memory exhaustion. The version parser converts numeric components to integers without bounding their length, forcing a super-linear, non-yielding base-10 to arbitrary-precision integer conversion through String.to integer/1 (also known as :erlang.binary to integer/1). This process pins a BEAM scheduler, and larger components can trigger an uncaught SystemLimitError that crashes the calling process. A string of approximately one megabyte is sufficient to trigger this issue, and no authentication is required. The issue is reachable via the parse digits/2 routine in lib/version.ex and public entry points including Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse requirement/1.

Recommendations Update to version 1.20.1.