{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21619", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-01-01T03:46:45.933Z", "datePublished": "2026-02-27T17:57:11.513Z", "dateUpdated": "2026-04-06T16:44:11.526Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:hexpm:hex_core:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["hex_api"], "packageName": "hexpm/hex_core", "packageURL": "pkg:github/hexpm/hex_core", "product": "hex_core", "programFiles": ["src/hex_api.erl"], "programRoutines": [{"name": "hex_core:request/4"}], "repo": "https://github.com/hexpm/hex_core", "vendor": "hexpm", "versions": [{"lessThan": "cdf726095bca85ad2549d146df1e831ae93c2b13", "status": "affected", "version": "eb327f8edfe45507351e38cc0805aa12fa647f0b", "versionType": "git"}]}, {"collectionURL": "https://repo.hex.pm", "cpes": ["cpe:2.3:a:hexpm:hex_core:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["hex_api"], "packageName": "hex_core", "packageURL": "pkg:hex/hex_core", "product": "hex_core", "programFiles": ["src/hex_api.erl"], "programRoutines": [{"name": "hex_core:request/4"}], "repo": "https://github.com/hexpm/hex_core", "vendor": "hexpm", "versions": [{"lessThan": "0.12.1", "status": "affected", "version": "0.1.0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["mix_hex_api"], "packageName": "hexpm/hex", "packageURL": "pkg:github/hexpm/hex", "product": "hex", "programFiles": ["src/mix_hex_api.erl"], "programRoutines": [{"name": "mix_hex_api:request/4"}], "repo": "https://github.com/hexpm/hex", "vendor": "hexpm", "versions": [{"lessThan": "636739f3322514e9303ca335fb630696fcbb3c95", "status": "affected", "version": "314546ac432229518714cc8e3336e916b9da6305", "versionType": "git"}]}, {"cpes": ["cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["mix_hex_api"], "packageName": "hex", "packageURL": "pkg:otp/hex?repository_url=https:%2F%2Fgithub.com%2Fhexpm%2Fhex.git&vcs_url=git%2Bhttps:%2F%2Fgithub.com%2Fhexpm%2Fhex.git", "product": "hex", "programFiles": ["src/mix_hex_api.erl"], "programRoutines": [{"name": "mix_hex_api:request/4"}], "repo": "https://github.com/hexpm/hex", "vendor": "hexpm", "versions": [{"lessThan": "2.3.2", "status": "affected", "version": "2.3.0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["r3_hex_api"], "packageName": "erlang/rebar3", "packageURL": "pkg:github/erlang/rebar3", "product": "rebar3", "programFiles": ["apps/rebar/src/vendored/r3_hex_api.erl"], "programRoutines": [{"name": "r3_hex_api:request/4"}], "repo": "https://github.com/erlang/rebar3", "vendor": "erlang", "versions": [{"lessThan": "1d4478f527e373de0b225951e53115450e0d9b9d", "status": "affected", "version": "209c02ec57c2cc3207ee0174c3af3675b8dc8f79", "versionType": "git"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["r3_hex_api"], "packageName": "rebar3", "packageURL": "pkg:otp/rebar3?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Frebar3.git&vcs_url=git%2Bhttps:%2F%2Fgithub.com%2Ferlang%2Frebar3.git", "product": "rebar3", "programFiles": ["apps/rebar/src/vendored/r3_hex_api.erl"], "programRoutines": [{"name": "r3_hex_api:request/4"}], "repo": "https://github.com/erlang/rebar3", "vendor": "erlang", "versions": [{"lessThan": "3.27.0", "status": "affected", "version": "3.9.1", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hexpm:hex_core:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.12.1", "versionStartIncluding": "0.1.0", "vulnerable": true}], "negate": false, "operator": "AND"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.2", "versionStartIncluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "AND"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.27.0", "versionStartIncluding": "3.9.1", "vulnerable": true}], "negate": false, "operator": "AND"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Lubas / Paraxial.ia"}, {"lang": "en", "type": "remediation developer", "value": "Jonatan M\u00e4nnchen / EEF"}, {"lang": "en", "type": "remediation reviewer", "value": "Eric Meadows-J\u00f6nsson / Hex.pm"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation.<p> This vulnerability is associated with program files <tt>src/hex_api.erl</tt>, <tt>src/mix_hex_api.erl</tt>, <tt>apps/rebar/src/vendored/r3_hex_api.erl</tt> and program routines <tt>hex_core:request/4</tt>, <tt>mix_hex_api:request/4</tt>, <tt>r3_hex_api:request/4</tt>.</p><p>This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.</p>"}], "value": "Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4.\n\nThis issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}, {"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 2, "baseSeverity": "LOW", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-06T16:44:11.526Z"}, "references": [{"tags": ["vendor-advisory", "related"], "url": "https://github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96"}, {"tags": ["related"], "url": "https://cna.erlef.org/cves/CVE-2026-21619.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-21619"}, {"tags": ["patch"], "url": "https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13"}, {"tags": ["patch"], "url": "https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95"}, {"tags": ["patch"], "url": "https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d"}], "source": {"discovery": "INTERNAL"}, "title": "Unsafe Deserialization of Erlang Terms in hex_core", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T19:08:49.652728Z", "id": "CVE-2026-21619", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T19:08:57.019Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21619", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T19:08:49.652728Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T19:08:54.436Z"}}], "cna": {"title": "Unsafe Deserialization of Erlang Terms in hex_core", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Michael Lubas / Paraxial.ia"}, {"lang": "en", "type": "remediation developer", "value": "Jonatan M\u00e4nnchen / EEF"}, {"lang": "en", "type": "remediation reviewer", "value": "Eric Meadows-J\u00f6nsson / Hex.pm"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}, {"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:hexpm:hex_core:*:*:*:*:*:*:*:*"], "repo": "https://github.com/hexpm/hex_core", "vendor": "hexpm", "modules": ["hex_api"], "product": "hex_core", "versions": [{"status": "affected", "version": "eb327f8edfe45507351e38cc0805aa12fa647f0b", "lessThan": "cdf726095bca85ad2549d146df1e831ae93c2b13", "versionType": "git"}], "packageURL": "pkg:github/hexpm/hex_core", "packageName": "hexpm/hex_core", "programFiles": ["src/hex_api.erl"], "collectionURL": "https://github.com", "defaultStatus": "unaffected", "programRoutines": [{"name": "hex_core:request/4"}]}, {"cpes": ["cpe:2.3:a:hexpm:hex_core:*:*:*:*:*:*:*:*"], "repo": "https://github.com/hexpm/hex_core", "vendor": "hexpm", "modules": ["hex_api"], "product": "hex_core", "versions": [{"status": "affected", "version": "0.1.0", "lessThan": "0.12.1", "versionType": "semver"}], "packageURL": "pkg:hex/hex_core", "packageName": "hex_core", "programFiles": ["src/hex_api.erl"], "collectionURL": "https://repo.hex.pm", "defaultStatus": "unaffected", "programRoutines": [{"name": "hex_core:request/4"}]}, {"cpes": ["cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*"], "repo": "https://github.com/hexpm/hex", "vendor": "hexpm", "modules": ["mix_hex_api"], "product": "hex", "versions": [{"status": "affected", "version": "314546ac432229518714cc8e3336e916b9da6305", "lessThan": "636739f3322514e9303ca335fb630696fcbb3c95", "versionType": "git"}], "packageURL": "pkg:github/hexpm/hex", "packageName": "hexpm/hex", "programFiles": ["src/mix_hex_api.erl"], "collectionURL": "https://github.com", "defaultStatus": "unaffected", "programRoutines": [{"name": "mix_hex_api:request/4"}]}, {"cpes": ["cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*"], "repo": "https://github.com/hexpm/hex", "vendor": "hexpm", "modules": ["mix_hex_api"], "product": "hex", "versions": [{"status": "affected", "version": "2.3.0", "lessThan": "2.3.2", "versionType": "semver"}], "packageURL": "pkg:otp/hex?repository_url=https:%2F%2Fgithub.com%2Fhexpm%2Fhex.git&vcs_url=git%2Bhttps:%2F%2Fgithub.com%2Fhexpm%2Fhex.git", "packageName": "hex", "programFiles": ["src/mix_hex_api.erl"], "defaultStatus": "unaffected", "programRoutines": [{"name": "mix_hex_api:request/4"}]}, {"cpes": ["cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*"], "repo": "https://github.com/erlang/rebar3", "vendor": "erlang", "modules": ["r3_hex_api"], "product": "rebar3", "versions": [{"status": "affected", "version": "209c02ec57c2cc3207ee0174c3af3675b8dc8f79", "lessThan": "1d4478f527e373de0b225951e53115450e0d9b9d", "versionType": "git"}], "packageURL": "pkg:github/erlang/rebar3", "packageName": "erlang/rebar3", "programFiles": ["apps/rebar/src/vendored/r3_hex_api.erl"], "collectionURL": "https://github.com", "defaultStatus": "unaffected", "programRoutines": [{"name": "r3_hex_api:request/4"}]}, {"cpes": ["cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*"], "repo": "https://github.com/erlang/rebar3", "vendor": "erlang", "modules": ["r3_hex_api"], "product": "rebar3", "versions": [{"status": "affected", "version": "3.9.1", "lessThan": "3.27.0", "versionType": "semver"}], "packageURL": "pkg:otp/rebar3?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Frebar3.git&vcs_url=git%2Bhttps:%2F%2Fgithub.com%2Ferlang%2Frebar3.git", "packageName": "rebar3", "programFiles": ["apps/rebar/src/vendored/r3_hex_api.erl"], "collectionURL": "https://github.com", "defaultStatus": "unaffected", "programRoutines": [{"name": "r3_hex_api:request/4"}]}], "references": [{"url": "https://github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96", "tags": ["vendor-advisory", "related"]}, {"url": "https://cna.erlef.org/cves/CVE-2026-21619.html", "tags": ["related"]}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2026-21619", "tags": ["related"]}, {"url": "https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13", "tags": ["patch"]}, {"url": "https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95", "tags": ["patch"]}, {"url": "https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4.\n\nThis issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.", "supportingMedia": [{"type": "text/html", "value": "Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation.<p> This vulnerability is associated with program files <tt>src/hex_api.erl</tt>, <tt>src/mix_hex_api.erl</tt>, <tt>apps/rebar/src/vendored/r3_hex_api.erl</tt> and program routines <tt>hex_core:request/4</tt>, <tt>mix_hex_api:request/4</tt>, <tt>r3_hex_api:request/4</tt>.</p><p>This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hexpm:hex_core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "0.12.1", "versionStartIncluding": "0.1.0"}], "operator": "AND"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.3.2", "versionStartIncluding": "2.3.0"}], "operator": "AND"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.27.0", "versionStartIncluding": "3.9.1"}], "operator": "AND"}], "operator": "OR"}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-06T16:44:11.526Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21619", "state": "PUBLISHED", "dateUpdated": "2026-04-06T16:44:11.526Z", "dateReserved": "2026-01-01T03:46:45.933Z", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "datePublished": "2026-02-27T17:57:11.513Z", "assignerShortName": "EEF"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*", "matchCriteriaId": "C21AB09A-0A82-419D-9A2E-A2C3F771655D", "versionEndExcluding": "3.27.0", "versionStartIncluding": "3.9.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:hex:hex:*:*:*:*:*:*:*:*", "matchCriteriaId": "477DC32B-3F4B-4F45-BB4B-E0236656AB50", "versionEndExcluding": "2.3.2", "versionStartIncluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hex:hex_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "91F2E848-912E-48E6-9784-7781F04E3222", "versionEndExcluding": "0.12.1", "versionStartIncluding": "0.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4.\n\nThis issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0."}, {"lang": "es", "value": "Consumo de Recursos No Controlado, vulnerabilidad de Deserializaci\u00f3n de Datos No Confiables en hexpm hex_core (m\u00f3dulos hex_api), hexpm hex (m\u00f3dulos mix_hex_api), erlang rebar3 (m\u00f3dulos r3_hex_api) permite Inyecci\u00f3n de Objetos, Asignaci\u00f3n Excesiva. Esta vulnerabilidad est\u00e1 asociada con los archivos de programa src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl y las rutinas de programa hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4.\n\nEste problema afecta a hex_core: desde 0.1.0 antes de 0.12.1; hex: desde 2.3.0 antes de 2.3.2; rebar3: desde 3.9.1 antes de 3.27.0."}], "id": "CVE-2026-21619", "lastModified": "2026-04-06T17:17:07.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2026-02-27T18:16:11.373", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2026-21619.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "tags": ["Patch"], "url": "https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "tags": ["Patch"], "url": "https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "tags": ["Patch"], "url": "https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://osv.dev/vulnerability/EEF-CVE-2026-21619"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-502"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[209c02ec57c2cc3207ee0174c3af3675b8dc8f79, 1d4478f527e373de0b225951e53115450e0d9b9d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.9.1,3.27.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[pkg:otp/rebar3@3.9.1, pkg:otp/rebar3@3.27.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "rebar3", "source": "cna", "vendor": "erlang"}, "product": "rebar3", "vendor": "erlang"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.9.1,3.27.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[pkg:otp/rebar3@3.9.1, pkg:otp/rebar3@3.27.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "rebar3", "source": "cna", "vendor": "erlang"}, "product": "rebar3", "vendor": "erlang"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[314546ac432229518714cc8e3336e916b9da6305, 636739f3322514e9303ca335fb630696fcbb3c95)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.3.0,2.3.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[pkg:hex/hex@2.3.0, pkg:hex/hex@2.3.2)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "hex", "source": "cna", "vendor": "hexpm"}, "product": "hex", "vendor": "hexpm"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.3.0,2.3.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[pkg:hex/hex@2.3.0, pkg:hex/hex@2.3.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "hex", "source": "cna", "vendor": "hexpm"}, "product": "hex", "vendor": "hexpm"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[eb327f8edfe45507351e38cc0805aa12fa647f0b, cdf726095bca85ad2549d146df1e831ae93c2b13)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.1.0,0.12.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[pkg:hex/hex_core@0.1.0, pkg:hex/hex_core@0.12.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "hex_core", "source": "cna", "vendor": "hexpm"}, "product": "hex_core", "vendor": "hexpm"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.1.0,0.12.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[pkg:hex/hex_core@0.1.0, pkg:hex/hex_core@0.12.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "hex_core", "source": "cna", "vendor": "hexpm"}, "product": "hex_core", "vendor": "hexpm"}], "analysis": {"en": {"generated_at": "2026-04-15T23:50:44.313644+00:00", "value": {"mitigation_remediation": ["Upgrade all affected products to at least rebar3 3.27.0, hex 2.3.2, and hex_core 0.12.1 or later, which contain the deserialization fix.", "If an upgrade is not immediately possible, apply the security patches from the commit records linked in the advisory (hex_core: cdf72609, hex: 636739f3, rebar3: 1d4478f5) to remove the unsafe deserialization logic.", "Restrict or validate all external data before passing it to the hex_core, hex, or rebar3 APIs to ensure only trusted Erlang terms are processed."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via resource exhaustion"}, "threat_synthesis": {"affected_systems": "Affected vendors and products include Erlang\u2019s rebar3, Hex\u2019s hex, and hex_core. Specific vulnerable versions are: rebar3 3.9.1 through 3.26.x, hex 2.3.0 through 2.3.1, and hex_core 0.1.0 through 0.12.0.", "description_and_impact": "The vulnerability stems from unsafe deserialization of Erlang terms in the hex_core, hex, and rebar3 products, allowing an attacker to inject malicious objects that can cause excessive allocation of system resources. This can lead to denial of service conditions by exhausting memory or processing capacity. The weakness is identified as resource exhaustion and deserialization of untrusted data, mapped to CWE\u2011400 and CWE\u2011502.", "risk_and_exploitability": "The CVSS score is 2.0, indicating a low severity, and the EPSS score is less than 1%, signaling a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no mass exploitation evidence. The likely attack vector is an application or module that loads untrusted data into these libraries; downstream applications that use these modules may be affected if they process external input unfiltered. Exploitation would require the attacker to provide malicious Erlang terms to one of the deserialization routines, resulting in uncontrolled resource allocation."}}}}, "created": "2026-03-02T12:06:57.271375+00:00", "updated": "2026-04-16T00:00:14.131425+00:00", "vendors": ["erlang", "erlang$PRODUCT$rebar3", "hexpm", "hexpm$PRODUCT$hex", "hexpm$PRODUCT$hex_core"]}