EEF-CVE-2026-43970

Source
https://cna.erlef.org/osv/EEF-CVE-2026-43970.html
Import Source
https://cna.erlef.org/osv/EEF-CVE-2026-43970.json
JSON Data
https://api.osv.dev/v1/vulns/EEF-CVE-2026-43970
Aliases
Published
2026-05-13T18:43:11.640Z
Modified
2026-05-19T20:26:01.036608498Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame
Details

Summary

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.

cowspdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for synstream, synreply, and headers frame types are all affected via cowspdy:parse_headers/2.

This issue affects cowlib from 0.1.0 before 2.16.1.

Configuration

The application must use cowspdy:parse/2 to parse SPDY frames from an untrusted peer. cowboy itself does not use cowspdy; only direct callers of the cow_spdy API are affected.

Database specific
{
    "cwe_ids": [
        "CWE-409"
    ],
    "capec_ids": [
        "CAPEC-130"
    ],
    "cpe_ids": [
        "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
    ]
}
References
Credits
    • Peter Ullrich - FINDER
    • Loïc Hoguin - REMEDIATION_DEVELOPER

Affected packages

Hex / cowlib

Package

Name
cowlib
Purl
pkg:hex/cowlib

Affected ranges

Type
SEMVER
Events
Introduced
0.1.0
Fixed
2.16.1

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.1.0
1.2.0
1.3.0
2.*
2.0.0
2.0.1
2.1.0
2.2.0
2.2.1
2.3.0
2.4.0
2.5.0
2.5.1
2.6.0
2.7.0
2.7.1
2.7.2
2.7.3
2.8.0
2.9.0
2.9.1
2.10.0
2.10.1
2.11.0
2.12.0
2.12.1
2.13.0
2.14.0
2.15.0
2.16.0

Database specific

source
"https://cna.erlef.org/osv/EEF-CVE-2026-43970.json"

Git / github.com/ninenines/cowlib

Affected ranges

Type
GIT
Repo
https://github.com/ninenines/cowlib
Events

Affected versions

0.*
0.1.0
0.2.0
0.3.0
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.6.2
1.*
1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
2.*
2.0.0
2.0.0-pre.1
2.0.0-rc.1
2.0.1
2.1.0
2.10.0
2.10.1
2.11.0
2.12.0
2.12.1
2.13.0
2.14.0
2.15.0
2.16.0
2.2.0
2.2.1
2.3.0
2.4.0
2.5.0
2.5.1
2.6.0
2.7.0
2.7.1
2.7.2
2.7.3
2.8.0
2.9.0
2.9.1

Database specific

source
"https://cna.erlef.org/osv/EEF-CVE-2026-43970.json"