CVE-2026-34593
Published: 02 April 2026
Summary
CVE-2026-34593 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Ash-Hq Ash Framework. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the Ash Framework to version 3.22.0, which fixes the unconditional atom creation from unverified user-supplied module inputs.
Mandates validation of user-supplied inputs to :module type fields before processing to prevent creation of excessive Erlang atoms.
Implements protections against denial-of-service attacks, including those causing BEAM VM atom table exhaustion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a server-side flaw allowing crafted inputs to trigger uncontrolled resource consumption (atom table exhaustion) and crash the application, directly enabling Application or System Exploitation for Endpoint Denial of Service.
NVD Description
Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists.…
more
Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0.
Deeper analysisAI
CVE-2026-34593 is a denial-of-service vulnerability in the Ash Framework, a declarative and extensible framework for building Elixir applications. Prior to version 3.22.0, the function Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom using Module.concat([value]) for any user-supplied binary string starting with "Elixir.", without first verifying if the referenced module exists. Erlang atoms are never garbage-collected, and the BEAM virtual machine enforces a hard default limit of approximately 1,048,576 entries in its atom table, allowing repeated submissions to exhaust this limit and crash the entire BEAM VM.
An unauthenticated attacker (PR:N) with network access (AV:N) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N) by submitting specially crafted inputs to any resource attribute or argument typed as :module. Successful exploitation results in high availability impact (A:H) with no confidentiality or integrity effects (C:N/I:N), as rated by its CVSS v3.1 score of 7.5. This leads to complete application downtime via atom table exhaustion.
The issue has been addressed in Ash Framework version 3.22.0, as detailed in the project's release notes and security advisory GHSA-jjf9-w5vj-r6vp. Security practitioners should upgrade to at least version 3.22.0 to mitigate the vulnerability. The associated CWEs are CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).
Details
- CWE(s)