Cyber Posture

CVE-2026-21619

HighRCE

Published: 27 February 2026

Published
27 February 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0007 20.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21619 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Erlang Rebar3. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SA-11 Developer Testing and Evaluation
addresses: CWE-400 CWE-502

Resource consumption and denial-of-service testing performed under the assessment plan detects uncontrolled allocation paths that are subsequently fixed.

AC-10 Concurrent Session Control
addresses: CWE-400

Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.

AU-6 Audit Record Review, Analysis, and Reporting
addresses: CWE-400

Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.

CA-8 Penetration Testing
addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

CP-4 Contingency Plan Testing
addresses: CWE-400

Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.

CP-5 Contingency Plan Update
addresses: CWE-400

Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.

CP-7 Alternate Processing Site
addresses: CWE-400

Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.

CP-8 Telecommunications Services
addresses: CWE-400

Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote unauthenticated network exploitation of deserialization/resource exhaustion in request handlers directly enables T1190 (public-facing app) and T1499.004 (DoS via app/system exploitation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4,…

more

mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.

Deeper analysisAI

CVE-2026-21619 is an Uncontrolled Resource Consumption and Deserialization of Untrusted Data vulnerability in hexpm's hex_core (hex_api modules), hex (mix_hex_api modules), and Erlang's rebar3 (r3_hex_api modules). The flaw allows Object Injection and Excessive Allocation via routines such as hex_core:request/4, mix_hex_api:request/4, and r3_hex_api:request/4 in files including src/hex_api.erl, src/mix_hex_api.erl, and apps/rebar/src/vendored/r3_hex_api.erl. It affects hex_core versions from 0.1.0 before 0.12.1, hex from 2.3.0 before 2.3.2, and rebar3 from 3.9.1 before 3.27.0, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and associated CWEs CWE-400 and CWE-502.

A network-accessible attacker requires no privileges or user interaction to exploit the vulnerability. By supplying malicious input to the affected request functions, they can trigger deserialization of untrusted data, leading to object injection and excessive resource allocation that causes denial of service through high availability impact.

Advisories recommend updating to mitigated versions: hex_core 0.12.1 or later, hex 2.3.2 or later, and rebar3 3.27.0 or later. Patches are provided in GitHub commits including rebar3's 1d4478f527e373de0b225951e53115450e0d9b9d, hex's 636739f3322514e9303ca335fb630696fcbb3c95, and hex_core's cdf726095bca85ad2549d146df1e831ae93c2b13, with additional details in the ERLEF CNA page at https://cna.erlef.org/cves/CVE-2026-21619.html and hex_core's GHSA-hx9w-f2w9-9g96.

Details

CWE(s)
CWE-400CWE-502

Affected Products

erlang
rebar3
3.9.1 — 3.27.0
hex
hex
2.3.0 — 2.3.2
hex
hex core
0.1.0 — 0.12.1

CVEs Like This One

CVE-2026-23869Shared CWE-400, CWE-502
CVE-2026-23864Shared CWE-400, CWE-502
CVE-2025-65890Shared CWE-400
CVE-2025-20058Shared CWE-400
CVE-2025-21547Shared CWE-400
CVE-2025-59472Shared CWE-400
CVE-2025-59464Shared CWE-400
CVE-2026-21728Shared CWE-400
CVE-2026-30350Shared CWE-400
CVE-2026-25819Shared CWE-400

References