EEF-CVE-2026-47067
- Source
- https://cna.erlef.org/osv/EEF-CVE-2026-47067.html
- Import Source
- https://cna.erlef.org/osv/EEF-CVE-2026-47067.json
- JSON Data
- https://api.osv.dev/v1/vulns/EEF-CVE-2026-47067
- Aliases
-
- CVE-2026-47067
- GHSA-9653-rcfr-5c62
- Published
- 2026-05-25T14:00:48.507Z
- Modified
- 2026-05-26T19:46:49.558Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Atom table exhaustion via unrecognized URL schemes in hackney
- Details
-
Summary
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackneyurl.erl converts every unrecognized URL scheme to a permanent BEAM atom via binarytoatom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes — directly as request targets, as configured webhook URLs, or via Location headers followed during redirects — can exhaust the atom table and crash the entire BEAM VM with systemlimit.
This issue affects hackney: from 2.0.0 before 4.0.1.
- Database specific
{ "cpe_ids": [ "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*" ], "capec_ids": [ "CAPEC-125" ], "cwe_ids": [ "CWE-770" ] }- References
- Credits
-
-
- Peter Ullrich - FINDER
-
- Benoit Chesneau - REMEDIATION_DEVELOPER
-
- Jonatan Männchen - ANALYST
-
Affected packages
Hex / hackney
Package
- Name
- hackney
- Purl
- pkg:hex/hackney