CVE-2026-53423

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-53423
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53423.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-53423
Aliases
Published
2026-06-11T10:44:51.528Z
Modified
2026-06-18T03:56:59.218304404Z
Severity
  • 5.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin
Details

Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membranemp4plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion.

The MP4 box header parser converts each 4-byte box name to an atom using String.toatom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parseboxname/1 in lib/membranemp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it.

This issue affects membranemp4plugin from 0.3.0 before 0.36.7.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53423.json",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "ae4bf04c393aa1562f3df3d33e20bc5cb8130de2"
                },
                {
                    "fixed": "56373d1ddc86968e55fbde795c14eeba24357b57"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-770"
    ],
    "cna_assigner": "EEF"
}
References

Affected packages

Git / github.com/membraneframework/membrane_mp4_plugin

Affected ranges

Type
GIT
Repo
https://github.com/membraneframework/membrane_mp4_plugin
Events
Introduced
bb05e2b2ca8755df0aa6a62e0577af47e95ad449
Fixed
56373d1ddc86968e55fbde795c14eeba24357b57
Database specific 
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0.3.0"
        },
        {
            "fixed": "0.36.7"
        },
        {
            "introduced": "0.3.0"
        },
        {
            "fixed": "0.36.7"
        }
    ]
}

Affected versions

v0.*
v0.10.0
v0.11.0
v0.12.0
v0.12.1
v0.13.0
v0.14.0
v0.15.0
v0.16.0
v0.16.1
v0.16.2
v0.17.0
v0.18.0
v0.18.1
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.22.2
v0.22.3
v0.23.0
v0.24.0
v0.24.1
v0.25.0
v0.26.0
v0.26.1
v0.27.0
v0.28.0
v0.28.1
v0.29.0
v0.29.1
v0.3.0
v0.30.0
v0.30.1
v0.30.2
v0.31.0
v0.32.0
v0.33.0
v0.33.1
v0.34.0
v0.34.1
v0.34.2
v0.35.0
v0.35.1
v0.35.2
v0.35.3
v0.36.0
v0.36.1
v0.36.2
v0.36.3
v0.36.4
v0.36.5
v0.36.6
v0.4.0
v0.5.0
v0.6.0
v0.7.0
v0.8.0
v0.9.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53423.json"