CVE-2026-53430

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-53430

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53430.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-53430

Aliases

EEF-CVE-2026-53430
GHSA-6ccx-9c9f-327w

Published

2026-06-15T21:55:33.707Z

Modified

2026-06-18T03:56:18.975864299Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1

Details

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb.

This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines 'Elixir.GRPC.Compressor.Gzip':decompress/1, 'Elixir.GRPC.Message':from_data/2.

'Elixir.GRPC.Compressor.Gzip':decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The maxreceivemessage_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill.

This issue affects grpc: from 0.4.0 before 1.0.0.

Database specific

{
    "cna_assigner": "EEF",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53430.json",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "beae6800fc8baf126f3fe7107d86a50e105275ba"
                },
                {
                    "fixed": "1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-409"
    ]
}

References

Affected packages

Git / github.com/elixir-grpc/grpc

Affected ranges

Type

GIT

Repo

https://github.com/elixir-grpc/grpc

Events

Introduced

e45282526107417bd54f57bb8298b52a7c272ccb

Fixed

8105f803030f7f5ae1d722251ee6ab2e36878830

Fixed

1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc

Database specific

{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0.4.0"
        },
        {
            "fixed": "1.0.0"
        }
    ]
}

Affected versions

v0.*

v0.11.2

v0.4.0

v0.5.0

v0.5.0-beta

v0.5.0-beta.1

v0.6.0

v0.7.0

v0.8.0

v0.8.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53430.json"