Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-47066
PUBLISHED
More InfoOfficial Page
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
View Known Exploited Vulnerability (KEV) details
Published At-25 May, 2026 | 14:00
Updated At-27 May, 2026 | 15:40
Rejected At-
▼CVE Numbering Authority (CNA)
Infinite loop in Alt-Svc header parser in hackney

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 receives a non-token, non-whitespace, non-comma byte (e.g. !, @, =, ;), it returns the input unchanged. skip_comma/1 also returns the buffer unchanged when the first byte is not a comma. parse_entries/2 then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. The calling process never returns. The entry point parse_and_cache/3 is called synchronously in the connection process on every HTTP response. A single-byte Alt-Svc: ! response header is sufficient to trigger the hang; the header is fully controlled by any HTTP origin the client connects to. This issue affects hackney: from 2.0.0-beta.1 before 4.0.1.

Affected Products
Vendor
benoitc
Product
hackney
Collection URL
https://repo.hex.pm
Package Name
hackney
Repo
https://github.com/benoitc/hackney
CPEs
  • cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Modules
  • hackney_altsvc
Program Files
  • src/hackney_altsvc.erl
Program Routines
  • hackney_altsvc:parse_entries/2
  • hackney_altsvc:parse_entry/1
  • hackney_altsvc:parse_protocol/1
  • hackney_altsvc:parse_token/2
  • hackney_altsvc:skip_comma/1
Default Status
unaffected
Versions
Affected
  • From 2.0.0-beta.1 before 4.0.1 (semver)
Vendor
benoitc
Product
hackney
Collection URL
https://github.com
Package Name
benoitc/hackney
Repo
https://github.com/benoitc/hackney
CPEs
  • cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Modules
  • hackney_altsvc
Program Files
  • src/hackney_altsvc.erl
Program Routines
  • hackney_altsvc:parse_entries/2
  • hackney_altsvc:parse_entry/1
  • hackney_altsvc:parse_protocol/1
  • hackney_altsvc:parse_token/2
  • hackney_altsvc:skip_comma/1
Default Status
unaffected
Versions
Affected
  • From 408e5fe20302226ea8c74dde2bcbd452d712b5b2 before e548aba1f97ffa3f4750da7b772998fb78c01894 (git)
Problem Types
TypeCWE IDDescription
CWECWE-835CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Type: CWE
CWE ID: CWE-835
Description: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-130CAPEC-130 Excessive Allocation
CAPEC ID: CAPEC-130
Description: CAPEC-130 Excessive Allocation
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Peter Ullrich
remediation developer
Benoit Chesneau
analyst
Jonatan Männchen / EEF
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j
vendor-advisory
related
https://cna.erlef.org/cves/CVE-2026-47066.html
related
https://osv.dev/vulnerability/EEF-CVE-2026-47066
related
https://github.com/benoitc/hackney/commit/e548aba1f97ffa3f4750da7b772998fb78c01894
patch
Hyperlink: https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j
Resource:
vendor-advisory
related
Hyperlink: https://cna.erlef.org/cves/CVE-2026-47066.html
Resource:
related
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-47066
Resource:
related
Hyperlink: https://github.com/benoitc/hackney/commit/e548aba1f97ffa3f4750da7b772998fb78c01894
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j
exploit
Hyperlink: https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j
Resource:
exploit
Details not found