{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34593", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T17:15:52.499Z", "datePublished": "2026-04-02T17:42:26.459Z", "dateUpdated": "2026-04-02T17:42:26.459Z"}, "containers": {"cna": {"title": "Ash Framework: Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp"}, {"name": "https://github.com/ash-project/ash/releases/tag/v3.22.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ash-project/ash/releases/tag/v3.22.0"}], "affected": [{"vendor": "ash-project", "product": "ash", "versions": [{"version": "< 3.22.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:42:26.459Z"}, "descriptions": [{"lang": "en", "value": "Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with \"Elixir.\", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0."}], "source": {"advisory": "GHSA-jjf9-w5vj-r6vp", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with \"Elixir.\", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0."}], "id": "CVE-2026-34593", "lastModified": "2026-04-02T18:16:31.360", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:31.360", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ash-project/ash/releases/tag/v3.22.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.22.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ash", "source": "cna", "vendor": "ash-project"}, "product": "ash", "vendor": "ash-project"}], "analysis": {"en": {"generated_at": "2026-04-02T22:28:48.142213+00:00", "value": {"mitigation_remediation": ["Upgrade Ash Framework to version 3.22.0 or newer.", "Validate or restrict values supplied to :module attributes to ensure they contain only existing module names.", "Monitor atom usage and watch for abnormal increases in atom count, and consider limiting the application to a smaller BEAM instance if feasible."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is the Ash Framework (ash-project:ash). All versions prior to 3.22.0 are vulnerable; the issue was addressed in the 3.22.0 release.", "description_and_impact": "Ash Framework, a declarative framework for Elixir applications, had a flaw in the function Ash.Type.Module.cast_input/2 that allowed an attacker to create new Erlang atoms from any user\u2011supplied binary starting with \"Elixir.\" without verifying module existence. Because atoms are never garbage\u2011collected and the BEAM atom table has a fixed limit of about 1,048,576 entries, repeated use of this function can exhaust the table and crash the BEAM virtual machine, causing a denial of service for the entire application. The weakness is classified as CWE\u2011400, uncontrolled resource consumption.", "risk_and_exploitability": "The CVSS base score is 8.2, indicating high severity. No EPSS score is available and the vulnerability is not listed in KEV. The likely attack vector is through any input that is passed to a :module typed attribute or function argument; if an attacker can submit such data remotely\u2014as through an API or web form\u2014they can induce atom exhaustion. Successful exploitation would cause a BEAM VM crash and result in service downtime. No public exploit is known, but the easy trigger makes this a high\u2011risk vulnerability for exposed services."}}}}, "created": "2026-04-03T07:32:11.066777+00:00", "updated": "2026-04-03T09:17:14.275803+00:00", "vendors": ["ash-project", "ash-project$PRODUCT$ash"]}