CVE-2026-48853

Name of the Vulnerable Software and Affected Versions grpc versions 0.4.0 through 0.9.x

Description Deserialization of untrusted data and allocation of resources without limits or throttling allow unauthenticated attackers to crash the BEAM node or achieve remote code execution on the server. The function decode/2 in Elixir.GRPC.Codec.Erlpack calls :erlang.binary to term/1 on the raw gRPC message body without the :safe option, size bounds, or type guards. An unauthenticated peer sending a request with Content-Type: application/grpc+erlpack can provide a crafted payload to mint arbitrary new atoms, which are not garbage-collected, leading to atom table exhaustion and a VM crash. Additionally, the payload can encode a fun term that executes attacker-controlled code if applied downstream. This issue occurs when GRPC.Codec.Erlpack is explicitly registered as a codec on the gRPC server.

Recommendations Update to version 1.0.0 or later. As a temporary workaround, avoid registering GRPC.Codec.Erlpack as a codec on the gRPC server.