Cyber Resilience

CVE-2026-32148

HighPublic PoC

Published: 30 April 2026

Published
30 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0019 9.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32148 is a high-severity Improper Validation of Integrity Check Value (CWE-354) vulnerability in Hex Hex. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 9.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows dependency integrity bypass via unverified lockfile checksums. Hex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However, Hex.RemoteConverger.verify_resolved/2 never executes checksum verification…

more

because the lock data returned by Hex.Utils.lock/1 uses string-based dependency names, while the verification logic compares against atom-based names. This type mismatch causes the verification code path to be silently skipped. Checksums are still validated when packages are initially downloaded from the registry, but mismatches between the lockfile and resolved dependencies are not detected. An attacker who can influence cached packages (e.g., via local cache poisoning or a compromised registry) can provide modified dependency contents that will be accepted without detection. The mix.lock file is silently rewritten with the checksum values from the registry, erasing evidence of tampering. This issue affects hex: from 0.16.0 before 2.4.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Type mismatch bypasses lockfile checksum verification, directly enabling undetected modification of resolved dependencies (supply chain dependency compromise).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

hex
hex
0.16.0 — 2.4.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-354 CWE-494

Proper validation of integrity check values is required for reliable tamper detection, directly reducing undetected modification risks.

addresses: CWE-354 CWE-494

Requires use of proper integrity verification tools, reducing the chance an incorrect check value is accepted.

addresses: CWE-354 CWE-494

Requires proper validation of integrity mechanisms, directly mitigating flawed check-value handling.

addresses: CWE-494

Policies can require integrity verification of software prior to installation, reducing risks from unverified downloads.

addresses: CWE-494

Blocks installation of components lacking a valid signature, mitigating download or installation of code without integrity checks.

addresses: CWE-494

Acquisition and maintenance portions of the strategy drive requirements for integrity verification of downloaded or supplied code.

addresses: CWE-494

Mandating integrity control and approved-only changes during development prevents incorporation of code or components lacking integrity validation.

addresses: CWE-494

Supply chain protection requires integrity verification of acquired components, directly reducing insertion or tampering of malicious code during delivery.

References