CVE-2026-7790

Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow http te module) allows Excessive Allocation.

The chunked transfer-encoding parser in cow http te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.

This vulnerability is associated with program file src/cow http te.erl and program routines cow http te:stream chunked/2, cow http te:chunked len/4.

This issue affects cowlib: from 0.6.0 before 2.16.1.