Listen to this Post
How CVE-2026-32686 Works
The core of CVE-2026-32686 is the Decimal library’s failure to validate the exponent on parsed decimal input. When `Decimal.new/1` is given a string like "1e10000000", the exponent `10000000` is stored without any upper bound. The danger emerges when operations are performed on this massive number. For example, `Decimal.add(Decimal.parse(“1e10000000”), 1)` triggers a tail-recursive function. For a positive exponent, it repeatedly multiplies the coefficient and decrements the exponent, effectively performing a loop that grows a big integer coefficient by one digit per iteration. This results in an exponential memory allocation, ballooning beyond 7GB for a moderately large exponent. This unbounded recursion is the root cause of the Out-of-Memory (OOM) crash.
Many core library functions are vulnerable due to these unbounded allocations:
– add, sub, and `div` use an internal `add_align` function which calls `pow10` on the exponent difference, constructing a giant bignum.
– `to_string/2` with `:normal` or `:xsd` formats triggers :lists.duplicate(exp, ?0), creating a list of millions or billions of zero characters.
– `to_integer/1` recursively multiples the coefficient and decrements the exponent, similar to the addition operation.
– `round/3` uses the same `:lists.duplicate` trick on the exponent difference, leading to a similar memory explosion.
– `compare/3` with a threshold argument loops back into the vulnerable add/sub functions.
A single malicious request is sufficient to exhaust all available memory and crash the entire BEAM VM.
DailyCVE Form
Platform: Elixir/Erlang
Version: 0.1.0–2.x.x
Vulnerability : Unbounded Exponent Denial-of-Service
Severity: Medium (CVSS 6.9)
date: 2026-05-07
Prediction: Patch 2026-05-07
What Undercode Say:
Check your mix.lock for vulnerable versions
grep -A 2 "decimal" mix.lock
Exploit example (Do not run in production)
iex> Decimal.add(Decimal.new("1"), Decimal.new("1e1000000000"))
(RuntimeError) Out of memory
Fix by updating to patched version in mix.exs
{:decimal, "~> 3.0"}
Exploit:
A single HTTP request with this JSON payload can kill the VM
POST /api/calculate HTTP/1.1
Content-Type: application/json
{"amount": "1e1000000000"}
The application code vulnerable to the attack
def calculate(ctx) do
ctx.body_params["amount"]
|> Decimal.parse()
|> Decimal.add(Decimal.new(1))
end
Protection from this CVE
Immediately update the Decimal library to version 3.0.0 or higher, which enforces safer defaults by bounding the exponent. If an immediate update is not possible, implement strict input validation on all user-supplied decimals to reject any value with an exponent exceeding a safe threshold (e.g., > 1000). Additionally, consider using an application-level memory limit or process supervisor to automatically restart the BEAM VM if it becomes unresponsive. The official advisory recommends overriding the dependency in `mix.exs` if needed: {:decimal, "~> 3.0", override: true}.
Impact
Successful exploitation leads to an unauthenticated remote Denial of Service (DoS). The attacker can crash the Erlang VM (BEAM) by exhausting its memory, causing the entire application to become unavailable. This affects any service that accepts user-supplied decimal values and performs common operations like addition, subtraction, division, rounding, integer conversion, or string formatting. The attack vector requires only a single HTTP request, making exploitation trivial. The vulnerability is present in all Decimal library versions from 0.1.0 up to, but not including, 3.0.0. Applications using Ecto’s `:decimal` type for database fields are also exposed, as user input from JSON, form fields, or other sources can be passed directly into vulnerable functions.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

