DEBIAN-CVE-2026-21619

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-21619

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21619.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-21619

Upstream

CVE-2026-21619

Published

2026-02-27T18:16:11.373Z

Modified

2026-03-24T10:01:42.609446Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hexcore (hexapi modules), hexpm hex (mixhexapi modules), erlang rebar3 (r3hexapi modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hexapi.erl, src/mixhexapi.erl, apps/rebar/src/vendored/r3hexapi.erl and program routines hexcore:request/4, mixhexapi:request/4, r3hexapi:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.

References

https://security-tracker.debian.org/tracker/CVE-2026-21619

Affected packages

Debian:13 / erlang-hex

Package

Name: erlang-hex
Purl: pkg:deb/debian/erlang-hex?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.6-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21619.json"

Debian:14 / erlang-hex

Package

Name: erlang-hex
Purl: pkg:deb/debian/erlang-hex?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.6-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21619.json"

Debian:12 / rebar3

Package

Name: rebar3
Purl: pkg:deb/debian/rebar3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.19.0-1

3.23.0-1

3.23.0-2

3.23.0-3

3.24.0-1

3.25.1-1

3.26.0-1

3.27.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21619.json"

Debian:13 / rebar3

Package

Name: rebar3
Purl: pkg:deb/debian/rebar3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.24.0-1

3.25.1-1

3.26.0-1

3.27.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21619.json"

Debian:14 / rebar3

Package

Name: rebar3
Purl: pkg:deb/debian/rebar3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.27.0-1

Affected versions

3.*

3.24.0-1

3.25.1-1

3.26.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21619.json"