{"vulnerability": "cve-2026-32686", "sightings": [{"uuid": "51c90de2-b82a-43d0-8506-41309ce2b5d0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-32686", "type": "published-proof-of-concept", "source": "https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v", "content": "", "creation_timestamp": "2026-05-07T14:02:14.000000Z"}, {"uuid": "81f0b66a-8f81-4098-a167-cf0459b3f7c3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-32686", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlbs6ebsmr2r", "content": "CVE-2026-32686 - Unbounded exponent in decimal enables unauthenticated DoS\nCVE ID : CVE-2026-32686\n \n Published : May 7, 2026, 3:16 p.m. | 1\u00a0hour, 9\u00a0minutes ago\n \n Description : Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Den...", "creation_timestamp": "2026-05-07T17:58:55.942691Z"}, {"uuid": "d266f5fc-2399-421c-9c85-a465908f1cb0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-32686", "type": "seen", "source": "https://gist.github.com/alon710/d3518b26e6387505ec4774e026b70deb", "content": "# CVE-2026-32686: CVE-2026-32686: Unbounded Exponent Resource Exhaustion in ericmj/decimal\n\n> **CVSS Score:** 6.9\n> **Published:** 2026-05-12\n> **Full Report:** https://cvereports.com/reports/CVE-2026-32686\n\n## Summary\nThe ericmj/decimal Elixir library suffers from an uncontrolled resource consumption vulnerability. Parsing decimal strings with exceptionally large exponents succeeds with minimal memory overhead, but subsequent arithmetic operations or string formatting attempts to materialize the expanded value. This exhausts BEAM Virtual Machine memory, causing an immediate denial of service.\n\n## TL;DR\nUnbounded exponent parsing in ericmj/decimal allows remote attackers to crash the BEAM VM via OOM by supplying astronomical scientific notation values that trigger massive bignum allocations during arithmetic alignment.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-400: Uncontrolled Resource Consumption\n- **Attack Vector**: Network (via crafted scientific notation payload)\n- **CVSS v4.0**: 6.9 (MEDIUM)\n- **EPSS Score**: 0.07%\n- **Impact**: High Availability (Denial of Service via OOM)\n- **Exploit Status**: Proof of Concept available\n- **Patched Version**: 3.0.0\n\n## Affected Systems\n\n- Elixir applications utilizing the ericmj/decimal package\n- Erlang BEAM Virtual Machine environments processing untrusted decimal inputs\n- **decimal**: >= 0.1.0, < 3.0.0 (Fixed in: `3.0.0`)\n\n## Mitigation\n\n- Upgrade ericmj/decimal dependency to version 3.0.0 or later.\n- Ensure Decimal.Context overrides do not set `emax` or `emin` to `:infinity`.\n- Implement application-level regex validation to reject scientific notation strings with exponents larger than 6000.\n\n**Remediation Steps:**\n1. Modify the `mix.exs` file to update the dependency requirement: `{:decimal, \"~> 3.0\"}`.\n2. Run `mix deps.get` and `mix deps.compile` to fetch and compile the patched version.\n3. Audit the codebase for any manual instances of `Decimal.Context.set/1` and ensure safe limits are maintained.\n4. Deploy the updated application build to production environments.\n\n## References\n\n- [GHSA-rhv4-8758-jx7v](https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v)\n- [EEF CNA Record](https://cna.erlef.org/cves/CVE-2026-32686.html)\n- [Fix Commit 6a523f3a73b8c9974540e21c7aa88f1258bb35ae](https://github.com/ericmj/decimal/commit/6a523f3a73b8c9974540e21c7aa88f1258bb35ae)\n- [OSV Data](https://osv.dev/vulnerability/EEF-CVE-2026-32686)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-32686) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-12T15:40:29.000000Z"}]}