EEF-CVE-2026-32688

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-32688.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-32688.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2026-32688

Aliases

CVE-2026-32688
GHSA-q8x4-x7mp-5vg2

Published

2026-04-27T13:45:35.160Z

Modified

2026-04-28T04:25:01.084Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Atom table exhaustion via HTTP/2 :scheme pseudo-header in plug_cowboy

Details

Summary

Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion.

Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.toatom/1 on the value returned by :cowboyreq.scheme/1. For HTTP/2 connections, cowlib passes the client-supplied :scheme pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique :scheme values, causing the Erlang VM to abort with system_limit and taking down the entire node.

This vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header.

This issue affects plug_cowboy: from 2.0.0 before 2.8.1.

Workaround

Disable HTTP/2 on the Plug.Cowboy.https/3 listener by passing protocol_options: %{protocols: [:http]} in the cowboy options. This restricts the listener to HTTP/1.1, where the scheme is derived from the listener type and is not attacker-controlled.

Database specific

{
    "cpe_ids": [
        "cpe:2.3:a:elixir-plug:plug_cowboy:*:*:*:*:*:*:*:*"
    ],
    "cwe_ids": [
        "CWE-770"
    ],
    "capec_ids": [
        "CAPEC-125"
    ]
}

References

Credits

- Peter Ullrich - FINDER

Affected packages

Hex / plug_cowboy

Package

Name: plug_cowboy
Purl: pkg:hex/plug_cowboy

Affected ranges

Type: SEMVER
Events: Introduced

2.0.0

Fixed

2.8.1

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.1.0

2.1.1

2.1.2

2.1.3

2.2.0

2.2.1

2.2.2

2.3.0

2.4.0

2.4.1

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.8.0

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-32688.json"

Git / github.com/elixir-plug/plug_cowboy

Affected ranges

Type: GIT
Repo: https://github.com/elixir-plug/plug_cowboy
Events: Introduced

12ecfd024bb179d48b018fecf074e43fe6a19c83

Fixed

bfb34cb45eb354e56437f7023fb306de1bf9c19b

Affected versions

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.1.0

v2.1.1

v2.1.2

v2.2.0

v2.2.1

v2.2.2

v2.3.0

v2.4.0

v2.5.0

v2.5.1

v2.5.2

v2.6.0

v2.6.1

v2.6.2

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.7.5

v2.8.0

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-32688.json"