The MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it.
This issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Thu, 11 Jun 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 11 Jun 2026 11:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion. The MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it. This issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7. | |
| Title | Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin | |
| First Time appeared |
Membraneframework
Membraneframework membrane Mp4 Plugin |
|
| Weaknesses | CWE-770 | |
| CPEs | cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Membraneframework
Membraneframework membrane Mp4 Plugin |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: EEF
Published:
Updated: 2026-06-12T04:45:33.275Z
Reserved: 2026-06-09T11:01:47.529Z
Link: CVE-2026-53423
Updated: 2026-06-11T12:09:36.211Z
Status : Deferred
Published: 2026-06-11T12:16:31.810
Modified: 2026-06-11T15:35:37.873
Link: CVE-2026-53423
No data.
OpenCVE Enrichment
Updated: 2026-06-11T19:27:49Z