Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-43970

Summary
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At-13 May, 2026 | 18:43
Updated At-15 May, 2026 | 04:33
Rejected At-
Credits

Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2. This issue affects cowlib from 0.1.0 before 2.16.1.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:EEF
Assigner Org ID:6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At:13 May, 2026 | 18:43
Updated At:15 May, 2026 | 04:33
Rejected At:
▼CVE Numbering Authority (CNA)
Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2. This issue affects cowlib from 0.1.0 before 2.16.1.

Affected Products
Vendor
ninenines
Product
cowlib
Collection URL
https://repo.hex.pm
Package Name
cowlib
Repo
https://github.com/ninenines/cowlib
CPEs
  • cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*
Modules
  • cow_spdy
Program Files
  • src/cow_spdy.erl
Program Routines
  • cow_spdy:parse/2
  • cow_spdy:inflate/2
  • cow_spdy:parse_headers/2
  • cow_spdy:parse_headers/4
Default Status
unaffected
Versions
Affected
  • From 0.1.0 before 2.16.1 (semver)
Vendor
ninenines
Product
cowlib
Collection URL
https://github.com
Package Name
ninenines/cowlib
Repo
https://github.com/ninenines/cowlib
CPEs
  • cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*
Modules
  • cow_spdy
Program Files
  • src/cow_spdy.erl
Program Routines
  • cow_spdy:parse/2
  • cow_spdy:inflate/2
  • cow_spdy:parse_headers/2
  • cow_spdy:parse_headers/4
Default Status
unaffected
Versions
Affected
  • From fad5c0049df278cc498b6cdb519b09e845a070a8 before 16aad3fb9f81f5cda4d1706ff0c54237c619c282 (git)
Problem Types
TypeCWE IDDescription
CWECWE-409CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
Type: CWE
CWE ID: CWE-409
Description: CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
Metrics
VersionBase scoreBase severityVector
4.08.2HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-130CAPEC-130 Excessive Allocation
CAPEC ID: CAPEC-130
Description: CAPEC-130 Excessive Allocation
Solutions

Upgrade to cowlib 2.16.1 or later, in which the cow_spdy module has been removed entirely. No patched version of cow_spdy will be provided. Migrate away from SPDY, which has been deprecated since 2015 in favour of HTTP/2.

Configurations

The application must use cow_spdy:parse/2 to parse SPDY frames from an untrusted peer. cowboy itself does not use cow_spdy; only direct callers of the cow_spdy API are affected.

Workarounds
Exploits
Credits
finder
Peter Ullrich
remediation developer
Loïc Hoguin
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://cna.erlef.org/cves/CVE-2026-43970.html
related
third-party-advisory
https://osv.dev/vulnerability/EEF-CVE-2026-43970
related
https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282
patch
Hyperlink: https://cna.erlef.org/cves/CVE-2026-43970.html
Resource:
related
third-party-advisory
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-43970
Resource:
related
Hyperlink: https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At:13 May, 2026 | 19:17
Updated At:14 May, 2026 | 17:07

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2. This issue affects cowlib from 0.1.0 before 2.16.1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.2HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-409Secondary6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CWE ID: CWE-409
Type: Secondary
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://cna.erlef.org/cves/CVE-2026-43970.html6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c2826b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://osv.dev/vulnerability/EEF-CVE-2026-439706b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
Hyperlink: https://cna.erlef.org/cves/CVE-2026-43970.html
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-43970
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1Records found
CVE-2026-8466
Matching Score-8
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
ShareView Details
Matching Score-8
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS Score-8.2||HIGH
EPSS-0.02% / 6.55%
||
7 Day CHG~0.00%
Published-13 May, 2026 | 18:26
Updated-14 May, 2026 | 17:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy

Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing. cowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory. This issue affects cowboy from 2.0.0 before 2.15.0.

Action-Not Available
Vendor-ninenines
Product-cowboy
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
Details not found