{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34593", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T17:15:52.499Z", "datePublished": "2026-04-02T17:42:26.459Z", "dateUpdated": "2026-04-03T13:04:09.413Z"}, "containers": {"cna": {"title": "Ash Framework: Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp"}, {"name": "https://github.com/ash-project/ash/releases/tag/v3.22.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ash-project/ash/releases/tag/v3.22.0"}], "affected": [{"vendor": "ash-project", "product": "ash", "versions": [{"version": "< 3.22.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:42:26.459Z"}, "descriptions": [{"lang": "en", "value": "Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with \"Elixir.\", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0."}], "source": {"advisory": "GHSA-jjf9-w5vj-r6vp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T13:04:06.237768Z", "id": "CVE-2026-34593", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:04:09.413Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34593", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:04:06.237768Z"}}}], "references": [{"url": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:04:00.511Z"}}], "cna": {"title": "Ash Framework: Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash", "source": {"advisory": "GHSA-jjf9-w5vj-r6vp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "ash-project", "product": "ash", "versions": [{"status": "affected", "version": "< 3.22.0"}]}], "references": [{"url": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp", "name": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ash-project/ash/releases/tag/v3.22.0", "name": "https://github.com/ash-project/ash/releases/tag/v3.22.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with \"Elixir.\", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:42:26.459Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34593", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:04:09.413Z", "dateReserved": "2026-03-30T17:15:52.499Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T17:42:26.459Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ash-hq:ash_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "70F867C8-E383-485D-974F-4D2920134DE1", "versionEndExcluding": "3.22.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with \"Elixir.\", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0."}], "id": "CVE-2026-34593", "lastModified": "2026-04-13T18:37:04.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:31.360", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/ash-project/ash/releases/tag/v3.22.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.22.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ash", "source": "cna", "vendor": "ash-project"}, "product": "ash", "vendor": "ash-project"}], "analysis": {"en": {"generated_at": "2026-04-13T20:30:28.387483+00:00", "value": {"mitigation_remediation": ["Upgrade Ash Framework to version 3.22.0 or later", "If an upgrade is not immediately possible, restrict the acceptance of :module values or validate that the referenced module exists before invoking cast_input/2", "Monitor for unusual module loading activity"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All installations of the Ash Framework released before version 3.22.0 are affected. The issue impacts any instance where module\u2011typed attributes or arguments are exposed to untrusted input, including API endpoints, user\u2011supplied configurations, or external data sources. Users of the popular ash\u2011project:ash package should review whether their applications accept :module values from outside the system. Only the 3.22.0 revision or later includes the mitigation that validates the module before atom creation.", "description_and_impact": "Ash Framework's cast_input/2 creates an Erlang atom from any user-supplied binary that starts with \"Elixir.\" by calling Module.concat without first checking if the module exists. Since Erlang atoms are immutable and not garbage collected, each call consumes an entry in the BEAM atom table, which is hard\u2011wired to about one million entries. The unchecked atom creation therefore constitutes both input validation and resource exhaustion weaknesses (CWE\u2011400 and CWE\u2011770). If an attacker can supply such values to a field of type :module\u2014e.g., through an API, form or other external input\u2014they can force the atom table to overflow, causing the BEAM Virtual Machine to crash and the entire application to become unavailable, effectively a denial\u2011of\u2011service attack.", "risk_and_exploitability": "The vulnerability has a CVSS base score of 8.2, indicating high severity. Its EPSS score is lower than 1%, suggesting that exploitation is not common yet, and it is not listed in the CISA KEV catalog. Exploitation requires only the ability to submit arbitrary binary strings to a :module parameter, a capability that many web or API services provide. No privileged permissions are needed, and no complex setup is required; the attack simply drives the atom table until it overflows, leading to an immediate crash of the virtual machine. Because the BEAM atom table is a process\u2011global resource, the impact is system\u2011wide rather than confined to a single request or user."}}}}, "created": "2026-04-03T07:32:11.066777+00:00", "updated": "2026-04-14T16:41:57.006791+00:00", "vendors": ["ash-project", "ash-project$PRODUCT$ash"]}