CVE-2026-53430 - Vulnerability Details

Vendors	Products
Elixir-grpc	Grpc

Link	Providers
https://cna.erlef.org/cves/CVE-2026-53430.html
https://github.com/elixir-grpc/grpc/commit/1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc
https://github.com/elixir-grpc/grpc/security/advisories/GHSA-6ccx-9c9f-327w
https://osv.dev/vulnerability/EEF-CVE-2026-53430

Type	Values Removed	Values Added
Description		Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines 'Elixir.GRPC.Compressor.Gzip':decompress/1, 'Elixir.GRPC.Message':from_data/2. 'Elixir.GRPC.Compressor.Gzip':decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill. This issue affects grpc: from 0.4.0 before 1.0.0.
Title		grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1
First Time appeared		Elixir-grpc Elixir-grpc grpc
Weaknesses		CWE-409
CPEs		cpe:2.3:a:elixir-grpc:grpc::::::::
Vendors & Products		Elixir-grpc Elixir-grpc grpc
References		https://cna.erlef.org/cves/CVE-2026-53430.html https://github.com/elixir-grpc/grpc/commit/1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc https://github.com/elixir-grpc/grpc/security/advisories/GHSA-6ccx-9c9f-327w https://osv.dev/vulnerability/EEF-CVE-2026-53430
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-53430", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-06-09T11:01:47.529Z", "datePublished": "2026-06-15T21:55:33.707Z", "dateUpdated": "2026-06-15T21:55:33.707Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://hex.pm", "cpes": ["cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.GRPC.Compressor.Gzip'", "'Elixir.GRPC.Message'"], "packageName": "grpc", "packageURL": "pkg:hex/grpc", "product": "grpc", "programFiles": ["lib/grpc/compressor/gzip.ex", "lib/grpc/message.ex"], "programRoutines": [{"name": "'Elixir.GRPC.Compressor.Gzip':decompress/1"}, {"name": "'Elixir.GRPC.Message':from_data/2"}], "repo": "https://github.com/elixir-grpc/grpc", "vendor": "elixir-grpc", "versions": [{"lessThan": "1.0.0", "status": "affected", "version": "0.4.0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.GRPC.Compressor.Gzip'", "'Elixir.GRPC.Message'"], "packageName": "elixir-grpc/grpc", "packageURL": "pkg:github/elixir-grpc/grpc", "product": "grpc", "programFiles": ["lib/grpc/compressor/gzip.ex", "lib/grpc/message.ex"], "programRoutines": [{"name": "'Elixir.GRPC.Compressor.Gzip':decompress/1"}, {"name": "'Elixir.GRPC.Message':from_data/2"}], "repo": "https://github.com/elixir-grpc/grpc", "vendor": "elixir-grpc", "versions": [{"lessThan": "1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc", "status": "affected", "version": "beae6800fc8baf126f3fe7107d86a50e105275ba", "versionType": "git"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.0.0", "versionStartIncluding": "0.4.0", "vulnerable": true}], "negate": false, "operator": "AND"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Ullrich"}, {"lang": "en", "type": "remediation developer", "value": "Paulo Valente"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (<tt>GRPC.Compressor.Gzip</tt>, <tt>GRPC.Message</tt> modules) allows a denial of service via a gzip decompression bomb.This vulnerability is associated with program files <tt>lib/grpc/compressor/gzip.ex</tt>, <tt>lib/grpc/message.ex</tt> and program routines <tt>'Elixir.GRPC.Compressor.Gzip':decompress/1</tt>, <tt>'Elixir.GRPC.Message':from_data/2</tt>.<tt>'Elixir.GRPC.Compressor.Gzip':decompress/1</tt> calls <tt>:zlib.gunzip/1</tt> directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip <tt>GRPC.Compressor</tt> implementation, it is invoked automatically whenever an incoming gRPC frame carries the <tt>grpc-encoding: gzip</tt> header. <tt>:zlib.gunzip/1</tt> allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The <tt>max_receive_message_length</tt> limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill.This issue affects grpc: from 0.4.0 before 1.0.0."}], "value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb.\n\nThis vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines 'Elixir.GRPC.Compressor.Gzip':decompress/1, 'Elixir.GRPC.Message':from_data/2.\n\n'Elixir.GRPC.Compressor.Gzip':decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill.\n\nThis issue affects grpc: from 0.4.0 before 1.0.0."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV4_0": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-409", "description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-06-15T21:55:33.707Z"}, "references": [{"tags": ["vendor-advisory", "related"], "url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-6ccx-9c9f-327w"}, {"tags": ["related"], "url": "https://cna.erlef.org/cves/CVE-2026-53430.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-53430"}, {"tags": ["patch"], "url": "https://github.com/elixir-grpc/grpc/commit/1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc"}], "source": {"discovery": "EXTERNAL"}, "title": "grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1", "x_generator": {"engine": "cvelib 1.8.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb.\n\nThis vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines 'Elixir.GRPC.Compressor.Gzip':decompress/1, 'Elixir.GRPC.Message':from_data/2.\n\n'Elixir.GRPC.Compressor.Gzip':decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill.\n\nThis issue affects grpc: from 0.4.0 before 1.0.0."}], "id": "CVE-2026-53430", "lastModified": "2026-06-15T23:16:46.363", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2026-06-15T23:16:46.363", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2026-53430.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/elixir-grpc/grpc/commit/1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-6ccx-9c9f-327w"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://osv.dev/vulnerability/EEF-CVE-2026-53430"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-409"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object