Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.
cowspdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for synstream, synreply, and headers frame types are all affected via cowspdy:parse_headers/2.
This issue affects cowlib from 0.1.0 before 2.16.1.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "fad5c0049df278cc498b6cdb519b09e845a070a8"
},
{
"fixed": "16aad3fb9f81f5cda4d1706ff0c54237c619c282"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43970.json",
"cna_assigner": "EEF",
"cwe_ids": [
"CWE-409"
]
}