CVE-2026-23940 in hex.pm
Summary
by MITRE • 03/13/2026
Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of service for package publishing and potentially other package-processing functionality.
This issue affects hexpm: before 495f01607d3eae4aed7ad09b2f54f31ec7a7df01; hex.pm: before 2026-03-10.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability CVE-2026-23940 represents a critical resource consumption flaw within the hex.pm package management system that operates as a core infrastructure component for the erlang ecosystem. This issue manifests as an uncontrolled allocation problem that occurs when the system processes excessively large package uploads, creating a scenario where memory exhaustion becomes inevitable during the extraction phase of tarball processing. The vulnerability specifically targets the hexpm/hexpm repository and affects versions prior to the commit hash 495f01607d3eae4aed7ad09b2f54f31ec7a7df01, with the broader hex.pm system being vulnerable until March 10, 2026. The root cause of this vulnerability aligns with CWE-400, which categorizes uncontrolled resource consumption as a fundamental weakness in software design that allows attackers to exhaust system resources through malformed input processing.
The technical exploitation of this vulnerability occurs during the package publishing workflow when an attacker uploads a maliciously crafted package that exceeds normal resource allocation limits. When the system attempts to extract the tarball, the excessive memory allocation required to process the oversized package causes the application instance to consume all available memory resources. This memory exhaustion leads to application termination and creates a denial of service condition that impacts not only package publishing but potentially affects other package-processing functions within the system. The vulnerability demonstrates characteristics consistent with the attack pattern described in the MITRE ATT&CK framework under the T1499.004 subtechnique for Resource Exhaustion, where adversaries specifically target memory allocation mechanisms to disrupt service availability.
The operational impact of this vulnerability extends beyond simple denial of service to create significant reliability concerns for package management infrastructure. When the application instance terminates due to memory exhaustion, legitimate users experience complete service disruption during package publishing operations, which can severely impact development workflows in environments heavily dependent on hex.pm for dependency management. The cascading effects of this vulnerability can also affect system stability, as the termination of application instances may trigger additional resource cleanup processes that further strain the system. Organizations relying on hex.pm for their package distribution infrastructure face potential downtime that could span from minutes to hours depending on system recovery mechanisms and the frequency of package publishing activities.
Mitigation strategies for this vulnerability should focus on implementing strict resource limits and input validation measures during package processing operations. The recommended approach involves establishing memory allocation caps during tarball extraction processes, implementing size validation checks for incoming package uploads, and configuring automatic resource monitoring to detect and prevent excessive allocation patterns. System administrators should also consider implementing rate limiting mechanisms to prevent repeated malicious uploads from exhausting resources. The most effective long-term solution requires updating the affected systems to versions that include proper memory management controls and resource exhaustion protection mechanisms, as outlined in the security patch releases that address the specific commit hash mentioned in the vulnerability description. Organizations should also implement automated monitoring and alerting systems to detect unusual resource consumption patterns that may indicate exploitation attempts, ensuring that the system can maintain availability even when processing potentially malicious package uploads.