PT-2026-39731 · Cowlib+1 · Cowlib+1
Loïc Hoguin
+1
·
Published
2026-05-11
·
Updated
2026-05-22
·
CVE-2026-7790
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
cowlib versions 0.6.0 through 2.16.0
Description
An uncontrolled resource consumption issue in the
cow http te module allows for excessive allocation. The chunked transfer-encoding parser accepts an unbounded number of hex digits in the chunk-size field. Each digit triggers a bignum multiplication, resulting in O(N²) CPU work and O(N) memory usage for N hex digits. When input is drip-fed, the parser discards accumulated length on partial reads and restarts, increasing the cost to O(N³). An unauthenticated remote attacker can cause a denial of service via CPU exhaustion and memory amplification by sending an HTTP/1.1 request with Transfer-Encoding: chunked and an excessively long chunk-size hex string. This issue is associated with the file src/cow http te.erl and the functions cow http te:stream chunked/2 and cow http te:chunked len/4.Recommendations
Update to version 2.16.1.
In Cowboy, set
initial stream flow size to a significantly lower value to limit the amount of chunked body data parsed in a single read, reducing the impact of the resource consumption.Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cowboy
Cowlib