Cyber Resilience

CVE-2026-21619

Low

Published: 27 February 2026

Published
27 February 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score v4 2.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 21.1th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21619 is a low-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Erlang Rebar3. Its CVSS base score is 2.0 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-21619 is an Uncontrolled Resource Consumption and Deserialization of Untrusted Data vulnerability in hexpm's hex_core (hex_api modules), hex (mix_hex_api modules), and Erlang's rebar3 (r3_hex_api modules). The flaw allows Object Injection and Excessive Allocation via routines such as hex_core:request/4, mix_hex_api:request/4, and r3_hex_api:request/4 in files including src/hex_api.erl, src/mix_hex_api.erl, and apps/rebar/src/vendored/r3_hex_api.erl. It affects hex_core versions from 0.1.0 before 0.12.1, hex from 2.3.0 before 2.3.2, and rebar3 from 3.9.1 before 3.27.0, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and associated CWEs CWE-400 and CWE-502.

A network-accessible attacker requires no privileges or user interaction to exploit the vulnerability. By supplying malicious input to the affected request functions, they can trigger deserialization of untrusted data, leading to object injection and excessive resource allocation that causes denial of service through high availability impact.

Advisories recommend updating to mitigated versions: hex_core 0.12.1 or later, hex 2.3.2 or later, and rebar3 3.27.0 or later. Patches are provided in GitHub commits including rebar3's 1d4478f527e373de0b225951e53115450e0d9b9d, hex's 636739f3322514e9303ca335fb630696fcbb3c95, and hex_core's cdf726095bca85ad2549d146df1e831ae93c2b13, with additional details in the ERLEF CNA page at https://cna.erlef.org/cves/CVE-2026-21619.html and hex_core's GHSA-hx9w-f2w9-9g96.

EU & UK References

Vulnerability details

Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4,…

more

mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated network exploitation of deserialization/resource exhaustion in request handlers directly enables T1190 (public-facing app) and T1499.004 (DoS via app/system exploitation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23864Shared CWE-400, CWE-502
CVE-2026-23869Shared CWE-400, CWE-502
CVE-2026-39304Shared CWE-400
CVE-2025-22777Shared CWE-502
CVE-2026-21637Shared CWE-400
CVE-2025-40944Shared CWE-400
CVE-2025-70886Shared CWE-400
CVE-2026-46834Shared CWE-400
CVE-2026-33204Shared CWE-400
CVE-2026-23824Shared CWE-400

Affected Assets

erlang
rebar3
3.9.1 — 3.27.0
hex
hex
2.3.0 — 2.3.2
hex
hex core
0.1.0 — 0.12.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing this CVE by updating to patched versions of hex_core, hex, and rebar3 to fix the deserialization vulnerability.

prevent

SI-10 mandates validation of untrusted inputs to the affected request functions, preventing malicious deserialization of data leading to object injection.

preventdetect

SC-5 provides denial-of-service protection mechanisms to mitigate uncontrolled resource consumption and excessive allocation triggered by this vulnerability.

References