Vulnerability Description
Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ash-Hq | Ash Framework | < 3.22.0 |
Related Weaknesses (CWE)
References
- https://github.com/ash-project/ash/releases/tag/v3.22.0ProductRelease Notes
- https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vpVendor AdvisoryExploit
- https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vpVendor AdvisoryExploit
FAQ
What is CVE-2026-34593?
CVE-2026-34593 is a vulnerability with a CVSS score of 7.5 (HIGH). Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat...
How severe is CVE-2026-34593?
CVE-2026-34593 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34593?
Check the references section above for vendor advisories and patch information. Affected products include: Ash-Hq Ash Framework.