CVE-2026-21619

Publication date 27 February 2026

Last updated 11 March 2026

Ubuntu priority

Description

Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
rebar3	26.04 LTS resolute	Needs evaluation
	25.10 questing	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
erlang-hex	26.04 LTS resolute	Not affected
	25.10 questing	Not affected
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
rebar3	Upstream: 1d4478f
erlang-hex	Upstream: 636739f

References

Other references

https://www.cve.org/CVERecord?id=CVE-2026-21619