Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cowhttpte module) allows Excessive Allocation.
The chunked transfer-encoding parser in cowhttpte accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.
This vulnerability is associated with program file src/cowhttpte.erl and program routines cowhttpte:streamchunked/2, cowhttpte:chunkedlen/4.
This issue affects cowlib: from 0.6.0 before 2.16.1.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "8c0e428b012c59f553a264f285ed89d36f791e3e"
},
{
"fixed": "a4b8039ce8c93ab00867ef6b7e888822c09f4369"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7790.json",
"cna_assigner": "EEF",
"cwe_ids": [
"CWE-400"
]
}