CVE-2026-43970

216.73.216.233

· Published 13/05/2026 19:17 · Modified 14/05/2026 17:07

Labels: CVE-2026-43970 2026-05-13 6b3ad84c-e1a6-4bf7-a703-f496b71e49db CVE-2026-43970 CWE-409

Essential information

Published: 13/05/2026 19:17
Modified: 14/05/2026 17:07
Author: —
Creator: —
CVSS: 8.2 HIGH (v3) 8.2 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2. This issue affects cowlib from 0.1.0 before 2.16.1.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
NVD: View on NVD

Affected products (CPE)

Product	CPE
ninenines / cowlib	`cpe:2.3:a:ninenines:cowlib:<0.1.0-2.16.1>:::::::*`