PT-2026-39731 · Cowlib+1 · Cowlib+1

Loïc Hoguin

+1

·

Published

2026-05-11

·

Updated

2026-05-22

·

CVE-2026-7790

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions cowlib versions 0.6.0 through 2.16.0
Description An uncontrolled resource consumption issue in the cow http te module allows for excessive allocation. The chunked transfer-encoding parser accepts an unbounded number of hex digits in the chunk-size field. Each digit triggers a bignum multiplication, resulting in O(N²) CPU work and O(N) memory usage for N hex digits. When input is drip-fed, the parser discards accumulated length on partial reads and restarts, increasing the cost to O(N³). An unauthenticated remote attacker can cause a denial of service via CPU exhaustion and memory amplification by sending an HTTP/1.1 request with Transfer-Encoding: chunked and an excessively long chunk-size hex string. This issue is associated with the file src/cow http te.erl and the functions cow http te:stream chunked/2 and cow http te:chunked len/4.
Recommendations Update to version 2.16.1. In Cowboy, set initial stream flow size to a significantly lower value to limit the amount of chunked body data parsed in a single read, reducing the impact of the resource consumption.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-7790
GHSA-32P9-57CR-4X65

Affected Products

Cowboy
Cowlib