CVE-2026-21619
Published: 27 February 2026
Summary
CVE-2026-21619 is a low-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Erlang Rebar3. Its CVSS base score is 2.0 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-21619 is an Uncontrolled Resource Consumption and Deserialization of Untrusted Data vulnerability in hexpm's hex_core (hex_api modules), hex (mix_hex_api modules), and Erlang's rebar3 (r3_hex_api modules). The flaw allows Object Injection and Excessive Allocation via routines such as hex_core:request/4, mix_hex_api:request/4, and r3_hex_api:request/4 in files including src/hex_api.erl, src/mix_hex_api.erl, and apps/rebar/src/vendored/r3_hex_api.erl. It affects hex_core versions from 0.1.0 before 0.12.1, hex from 2.3.0 before 2.3.2, and rebar3 from 3.9.1 before 3.27.0, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and associated CWEs CWE-400 and CWE-502.
A network-accessible attacker requires no privileges or user interaction to exploit the vulnerability. By supplying malicious input to the affected request functions, they can trigger deserialization of untrusted data, leading to object injection and excessive resource allocation that causes denial of service through high availability impact.
Advisories recommend updating to mitigated versions: hex_core 0.12.1 or later, hex 2.3.2 or later, and rebar3 3.27.0 or later. Patches are provided in GitHub commits including rebar3's 1d4478f527e373de0b225951e53115450e0d9b9d, hex's 636739f3322514e9303ca335fb630696fcbb3c95, and hex_core's cdf726095bca85ad2549d146df1e831ae93c2b13, with additional details in the ERLEF CNA page at https://cna.erlef.org/cves/CVE-2026-21619.html and hex_core's GHSA-hx9w-f2w9-9g96.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9037
Vulnerability details
Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4,…
more
mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of deserialization/resource exhaustion in request handlers directly enables T1190 (public-facing app) and T1499.004 (DoS via app/system exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly addressing this CVE by updating to patched versions of hex_core, hex, and rebar3 to fix the deserialization vulnerability.
SI-10 mandates validation of untrusted inputs to the affected request functions, preventing malicious deserialization of data leading to object injection.
SC-5 provides denial-of-service protection mechanisms to mitigate uncontrolled resource consumption and excessive allocation triggered by this vulnerability.