PT-2026-48648 · Membraneframework · Membrane Mp4 Plugin
Łukasz Kita
+1
·
Published
2026-06-11
·
Updated
2026-06-11
·
CVE-2026-53423
CVSS v4.0
5.9
Medium
| Vector | AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane mp4 plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion.
The MP4 box header parser converts each 4-byte box name to an atom using String.to atom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parse box name/1 in lib/membrane mp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it.
This issue affects membrane mp4 plugin from 0.3.0 before 0.36.7.
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Membrane Mp4 Plugin