216.73.217.80

CVE-2026-8466

· Published 13/05/2026 19:17 · Modified 14/05/2026 17:07

Labels: CVE-2026-8466 2026-05-136b3ad84c-e1a6-4bf7-a703-f496b71e49dbCVE-2026-8466CWE-770

Essential information

Published
13/05/2026 19:17
Modified
14/05/2026 17:07
Author
Creator
CVSS
8.2 HIGH (v3) 8.2 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing. cowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory. This issue affects cowboy from 2.0.0 before 2.15.0.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
NVD
View on NVD

Affected products (CPE)

ProductCPE
ninenines / cowboy cpe:2.3:a:ninenines:cowboy:<2.15.0:*:*:*:*:*:*

References