Atom Exhaustion Is Not a Footgun. It's One Third of Our CVEs
Atom exhaustion is a significant vulnerability in the BEAM ecosystem, accounting for 35.8% of CVEs published by the Erlang Ecosystem Foundation. This denial-of-service issue arises when atoms are created from user-supplied input, leading to potential crashes of the virtual machine. To mitigate this risk, developers are advised to avoid creating new atoms at runtime and to utilize existing-atom variants or explicit lookup tables instead.
- ▪Atom exhaustion represents a major category of vulnerabilities in the Erlang Ecosystem.
- ▪Creating atoms from user input can lead to denial-of-service attacks if the input is not controlled or finite.
- ▪Developers are encouraged to use linters and existing-atom variants to prevent atom exhaustion vulnerabilities.
Opening excerpt (first ~120 words) tap to expand
Atom Exhaustion Is Not a Footgun. It's One Third of Our CVEs. May 26, 2026 by Jonatan Männchen Posted in Security Tags security atom-exhaustion vulnerability dos 35.8% of CVEs published by the Erlang Ecosystem Foundation CNA fall into the category of uncontrolled resource consumption. In the BEAM ecosystem, a large share of those are caused by one recurring issue: atom exhaustion. You can find the current distribution on the EEF CNA’s Common Weaknesses page. Atom exhaustion is a denial-of-service vulnerability. Atoms are not garbage collected and are stored in a global atom table, and once it fills up, the VM crashes. Creating atoms from non-finite values, especially user-supplied input, is therefore a latent DoS waiting to happen.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Erlef.
Discussion
0 commentsMore from Erlef
