CVE-2026-32686: Unbounded Exponent Resource Exhaustion in ericmj/decimal Vulnerability ID: CVE-2026-32686 CVSS Score: 6.9 Published: 2026-05-12 The ericmj/decimal Elixir library suffers from an uncontrolled resource consumption vulnerability. Parsing decimal strings with exceptionally large exponents succeeds with minimal memory overhead, but subsequent arithmetic operations or string formatting attempts to materialize the expanded value. This exhausts BEAM Virtual Machine memory, causing an immediate denial of service. TL;DR Unbounded exponent parsing in ericmj/decimal allows remote attackers to crash the BEAM VM via OOM by supplying astronomical scientific notation values that trigger massive bignum allocations during arithmetic alignment.…