CVE-2026-53430 grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1

🗓️ 15 Jun 2026 21:55:33Reported by EEFType

Gzip decompression bomb in Elixir grpc can exhaust heap via attacker data before 1.0.0.

Reporter	Title	Published	Views	Family All 6
Circl	CVE-2026-53430	16 Jun 202600:38	–	circl
CVE	CVE-2026-53430	15 Jun 202621:55	–	cve
EUVD	EUVD-2026-37014	15 Jun 202621:55	–	euvd
NVD	CVE-2026-53430	15 Jun 202623:16	–	nvd
OSV	EEF-CVE-2026-53430 grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1	15 Jun 202621:55	–	osv
Positive Technologies	PT-2026-49535	15 Jun 202600:00	–	ptsecurity

[
  {
    "collectionURL": "https://hex.pm",
    "cpes": [
      "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "modules": [
      "'Elixir.GRPC.Compressor.Gzip'",
      "'Elixir.GRPC.Message'"
    ],
    "packageName": "grpc",
    "packageURL": "pkg:hex/grpc",
    "product": "grpc",
    "programFiles": [
      "lib/grpc/compressor/gzip.ex",
      "lib/grpc/message.ex"
    ],
    "programRoutines": [
      {
        "name": "'Elixir.GRPC.Compressor.Gzip':decompress/1"
      },
      {
        "name": "'Elixir.GRPC.Message':from_data/2"
      }
    ],
    "repo": "https://github.com/elixir-grpc/grpc",
    "vendor": "elixir-grpc",
    "versions": [
      {
        "lessThan": "1.0.0",
        "status": "affected",
        "version": "0.4.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "collectionURL": "https://github.com",
    "cpes": [
      "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "modules": [
      "'Elixir.GRPC.Compressor.Gzip'",
      "'Elixir.GRPC.Message'"
    ],
    "packageName": "elixir-grpc/grpc",
    "packageURL": "pkg:github/elixir-grpc/grpc",
    "product": "grpc",
    "programFiles": [
      "lib/grpc/compressor/gzip.ex",
      "lib/grpc/message.ex"
    ],
    "programRoutines": [
      {
        "name": "'Elixir.GRPC.Compressor.Gzip':decompress/1"
      },
      {
        "name": "'Elixir.GRPC.Message':from_data/2"
      }
    ],
    "repo": "https://github.com/elixir-grpc/grpc",
    "vendor": "elixir-grpc",
    "versions": [
      {
        "lessThan": "1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc",
        "status": "affected",
        "version": "beae6800fc8baf126f3fe7107d86a50e105275ba",
        "versionType": "git"
      }
    ]
  }
]

Source	Link
osv	www.osv.dev/vulnerability/EEF-CVE-2026-53430
github	www.github.com/elixir-grpc/grpc/security/advisories/GHSA-6ccx-9c9f-327w
github	www.github.com/elixir-grpc/grpc/commit/1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc
cna	www.cna.erlef.org/cves/CVE-2026-53430.html

15 Jun 2026 21:55Current

CVSS 48.7

CWE-409