EEF-CVE-2026-48854 Unbounded request body accumulation causes memory exhaustion in elixir-grpc/grpc

Summary Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read\full\body/3...

CVE-2026-48854

The CVE-2026-48854 affects the elixir-grpc/grpc project. The vulnerability resides in Elixir.GRPC.Server.Adapters.Cowboy.Handler:read_full_body/3, which accumulates every received chunk into a growing binary with no size cap. If the grpc-timeout header is omitted, per-chunk read timeouts resolve ...