External risk intelligence

Elixir-GRPC Erlpack Deserialization Leads to Node Crash and RCE

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-48853

Vulnerabilities in the elixir-grpc grpc library allow unauthenticated attackers to crash the server or execute arbitrary code. By sending a crafted payload, an attacker could exhaust the server's atom table, causing a denial of service, or achieve remote code execution. This issue is critical because it can be exploite

4Halo Surface Signal

Deserialization

External exposure likelihood

Halo Surface Signal score for CVE-2026-48853

The vulnerability exists in a gRPC library, which is commonly used to build internet-facing APIs, microservices, and network-accessible communication endpoints. Because gRPC services are frequently exposed as public-facing API gateways or web-accessible service interfaces, the vulnerable component is highly likely to be reachable from the internet in standard deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in a widely used gRPC library that handles data decoding. The flaw allows unauthenticated attackers to potentially crash servers by exhausting system resources or execute arbitrary code, posing a significant risk to services relying on this library for network communication.

  • Unauthenticated attackers can crash servers or run code.
  • It affects critical network communication and server operations.
  • Confirm relevance and assess exposure of this library.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can send a specially crafted gRPC request to a server. This request targets the `elixir-grpc` library's Erlang Pack codec, specifically its `decode/2` function. By exploiting how this function handles untrusted data and lacks resource limits, an attacker can cause the server to crash or potentially achieve remote code execution.

  • No authentication required for access.
  • Triggered by sending a malicious gRPC request.
  • Risk of server crash or code execution.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability in the elixir-grpc library could allow unauthenticated attackers to remotely crash the server by exhausting its atom table, a fundamental component of the Erlang virtual machine. When certain decoded data structures are processed, this could also lead to the execution of attacker-controlled code on the server, when supported by the advisory.

  • Server BEAM node crashes.
  • Crafted payloads trigger atom table exhaustion.
  • Remote code execution could occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for addressing this vulnerability in the elixir-grpc library. The first practical step is to identify all instances of the affected technology, confirm their accessibility and business criticality, and then locate the accountable owner to plan remediation based on risk.

  • Application and platform teams own the issue.
  • Verify exposure and critical dependencies first.
  • Plan coordinated maintenance or vendor engagement.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the elixir-grpc library used for?

This software provides a framework for Elixir developers to build services using gRPC, a high-performance system for communication between microservices. It handles the details of sending and receiving structured messages, allowing different parts of a software architecture to talk to each other reliably over a network.

What does CWE-502 and CWE-770 mean for CVE-2026-48853?

These codes represent common software weaknesses. CWE-502 refers to 'Deserialization of Untrusted Data,' where the system improperly converts external input into internal objects, potentially allowing malicious code execution. CWE-770 refers to 'Allocation of Resources Without Limits,' where the system accepts too much data or too many operations without checking, which can consume all available memory or system identifiers, causing the service to crash.

How can an attacker trigger this vulnerability?

An attacker sends a specially crafted gRPC request using the 'application/grpc+erlpack' content type. If the library processes this without proper safety checks, it can force the server to create unlimited new identifiers or execute unintended commands. Requests that do not use this specific content type or that target other parts of the application are not affected by this trigger path.

Is my system at risk?

Halo Surface Signal notes that gRPC libraries are frequently used for internet-facing APIs and service gateways. If your deployment makes these service interfaces accessible from the public internet, the potential for unauthorized access is much higher. Internal-only services may have a reduced likelihood of encounter, but the underlying weakness remains present.

What should I do if I use this software?

Review your project dependencies to determine if you are using a vulnerable version of the grpc library, specifically those from 0.4.0 up to, but not including, 1.0.0. If you are, prioritize updating to a patched version provided by the maintainers. If an immediate update is not possible, consider restricting network access to the affected gRPC services.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified