CVE-2026-43970

Name of the Vulnerable Software and Affected Versions cowlib versions 0.1.0 through 2.16.0

Description Improper handling of highly compressed data leads to data amplification, allowing an unauthenticated remote actor to cause a denial of service via memory exhaustion. The cow spdy:inflate/2 function passes compressed bytes from a peer to zlib:inflate/2 without an output size bound. Because the SPDY header compression dictionary (?ZDICT) is public and zlib can compress repeated bytes at a ratio of approximately 1024:1, a small SPDY frame payload can decompress into gigabytes on the BEAM heap, resulting in an Out-Of-Memory (OOM) condition that kills the node. This condition can be triggered by a single unauthenticated SPDY frame. The cow spdy:parse headers/2 function affects the parsers for syn stream, syn reply, and headers frame types. This issue specifically impacts applications that use cow spdy:parse/2 to parse SPDY frames from untrusted peers.

Recommendations Update to version 2.16.1 or later. As a temporary mitigation, restrict the use of the cow spdy:parse/2 function when handling data from untrusted peers.