216.73.217.172

CVE-2026-47077

· Published 25/05/2026 15:16 · Modified 26/05/2026 19:58

Labels: CVE-2026-47077 2026-05-256b3ad84c-e1a6-4bf7-a703-f496b71e49dbCVE-2026-47077CWE-400

Essential information

Published
25/05/2026 15:16
Modified
26/05/2026 19:58
Author
Creator
CVSS
8.2 HIGH (v3) 8.2 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame — it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition. This issue affects hackney: from 2.0.0 before 4.0.1.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
NVD
View on NVD

Affected products (CPE)

ProductCPE
benoitc / hackney cpe:2.3:a:benoitc:hackney:2.0.0:*:*:*:*:*:*:*
benoitc / hackney cpe:2.3:a:benoitc:hackney:<4.0.1:*:*:*:*:*:*:*

References