{"affected":[{"package":{"ecosystem":"Hex","name":"membrane_mp4_plugin","purl":"pkg:hex/membrane_mp4_plugin"},"ranges":[{"events":[{"introduced":"0.3.0"},{"fixed":"0.36.7"}],"type":"SEMVER"}],"versions":["0.3.0","0.4.0","0.5.0","0.6.0","0.7.0","0.8.0","0.9.0","0.10.0","0.11.0","0.12.0","0.12.1","0.13.0","0.14.0","0.15.0","0.16.0","0.16.1","0.16.2","0.17.0","0.18.0","0.18.1","0.19.0","0.20.0","0.21.0","0.22.0","0.22.1","0.22.2","0.22.3","0.23.0","0.24.0","0.24.1","0.25.0","0.26.0","0.26.1","0.27.0","0.28.0","0.28.1","0.29.0","0.29.1","0.30.0","0.30.1","0.30.2","0.31.0","0.32.0","0.33.0","0.33.1","0.34.0","0.34.1","0.34.2","0.35.0","0.35.1","0.35.2","0.35.3","0.36.0","0.36.1","0.36.2","0.36.3","0.36.4","0.36.5","0.36.6"]},{"ranges":[{"events":[{"introduced":"ae4bf04c393aa1562f3df3d33e20bc5cb8130de2"},{"fixed":"56373d1ddc86968e55fbde795c14eeba24357b57"}],"repo":"https://github.com/membraneframework/membrane_mp4_plugin","type":"GIT"}]}],"aliases":["GHSA-43hj-fxwj-49qw","CVE-2026-53423"],"credits":[{"name":"Łukasz Kita","type":"FINDER"},{"name":"Łukasz Kita","type":"REMEDIATION_DEVELOPER"},{"name":"Mateusz Front","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen / EEF","type":"ANALYST"}],"database_specific":{"capec_ids":["CAPEC-130"],"cpe_ids":["cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-770"]},"details":"## Summary\n\nAllocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane\\_mp4\\_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion.\n\nThe MP4 box header parser converts each 4-byte box name to an atom using String.to\\_atom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parse\\_box\\_name/1 in lib/membrane\\_mp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it.\n\nThis issue affects membrane\\_mp4\\_plugin from 0.3.0 before 0.36.7.","id":"EEF-CVE-2026-53423","modified":"2026-06-11T10:44:51.528Z","published":"2026-06-11T10:44:51.528Z","references":[{"type":"ADVISORY","url":"https://github.com/membraneframework/membrane_mp4_plugin/security/advisories/GHSA-43hj-fxwj-49qw"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-53423.html"},{"type":"FIX","url":"https://github.com/membraneframework/membrane_mp4_plugin/commit/56373d1ddc86968e55fbde795c14eeba24357b57"},{"type":"PACKAGE","url":"https://hex.pm/packages/membrane_mp4_plugin"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"}],"summary":"Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin","upstream":[]}