EEF-CVE-2026-43974

See a problem?
Please try reporting it to the source first.
Source
https://cna.erlef.org/osv/EEF-CVE-2026-43974.html
Import Source
https://cna.erlef.org/osv/EEF-CVE-2026-43974.json
JSON Data
https://api.osv.dev/v1/vulns/EEF-CVE-2026-43974
Aliases
  • CVE-2026-43974
Published
2026-06-08T14:12:36.957Z
Modified
2026-06-08T16:34:38.989Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
gun HTTP/1.1 client accepts unsolicited 101 Switching Protocols response allowing server-driven protocol hijack and OOM
Details

Summary

Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response.

In gunhttp:handleinform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode.

A malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gunraw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gundata messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM.

This issue affects gun: from 2.0.0 before 2.4.0.

Database specific 
{
    "cpe_ids": [
        "cpe:2.3:a:ninenines:gun:*:*:*:*:*:*:*:*"
    ],
    "capec_ids": [
        "CAPEC-220",
        "CAPEC-130"
    ],
    "cwe_ids": [
        "CWE-841"
    ]
}
References
Credits
    • Peter Ullrich - FINDER
    • Loïc Hoguin - REMEDIATION_DEVELOPER

Affected packages

Hex / gun

Package

Name
gun
Purl
pkg:hex/gun

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.4.0

Affected versions

2.*
2.0.0
2.0.1
2.1.0
2.2.0
2.3.0

Database specific

source 
"https://cna.erlef.org/osv/EEF-CVE-2026-43974.json"

Git / github.com/ninenines/gun.git

Affected ranges

Type
GIT
Repo
https://github.com/ninenines/gun.git
Events
Introduced
a3c2edbb8c807717e2f10520c6cf1e77a62eab2e
Fixed
5b48068c29ce5e112cb149b5857c7d4dc319a81b

Affected versions

2.*
2.0.0
2.0.0-pre.1
2.0.0-pre.2
2.0.0-rc.1
2.0.0-rc.2
2.0.1
2.1.0
2.2.0
2.3.0

Database specific

source 
"https://cna.erlef.org/osv/EEF-CVE-2026-43974.json"