EEF-CVE-2026-7790

See a problem?
Please try reporting it to the source first.
Source
https://cna.erlef.org/osv/EEF-CVE-2026-7790.html
Import Source
https://cna.erlef.org/osv/EEF-CVE-2026-7790.json
JSON Data
https://api.osv.dev/v1/vulns/EEF-CVE-2026-7790
Aliases
  • CVE-2026-7790
Published
2026-05-11T18:06:41.490Z
Modified
2026-05-12T04:26:36.871Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS
Details

Summary

Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cowhttpte module) allows Excessive Allocation.

The chunked transfer-encoding parser in cowhttpte accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.

This vulnerability is associated with program file src/cowhttpte.erl and program routines cowhttpte:streamchunked/2, cowhttpte:chunkedlen/4.

This issue affects cowlib: from 0.6.0 before 2.16.1.

Workaround

In Cowboy, setting initialstreamflow_size to a much lower value limits the amount of chunked body data that cowlib will parse in a single read, reducing the window of data an attacker can use to trigger the quadratic work. This does not fully eliminate the vulnerability but can significantly reduce its impact for some applications.

Database specific 
{
    "cpe_ids": [
        "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
    ],
    "cwe_ids": [
        "CWE-400"
    ],
    "capec_ids": [
        "CAPEC-130"
    ]
}
References
Credits
    • Peter Ullrich - FINDER
    • Loïc Hoguin - REMEDIATION_DEVELOPER

Affected packages

Hex / cowlib

Package

Name
cowlib
Purl
pkg:hex/cowlib

Affected ranges

Type
SEMVER
Events
Introduced
0.6.0
Fixed
2.16.1

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.1.0
1.2.0
1.3.0
2.*
2.0.0
2.0.1
2.1.0
2.2.0
2.2.1
2.3.0
2.4.0
2.5.0
2.5.1
2.6.0
2.7.0
2.7.1
2.7.2
2.7.3
2.8.0
2.9.0
2.9.1
2.10.0
2.10.1
2.11.0
2.12.0
2.12.1
2.13.0
2.14.0
2.15.0
2.16.0

Database specific

source 
"https://cna.erlef.org/osv/EEF-CVE-2026-7790.json"

Git / github.com/ninenines/cowlib

Affected ranges

Type
GIT
Repo
https://github.com/ninenines/cowlib
Events
Introduced
8c0e428b012c59f553a264f285ed89d36f791e3e
Fixed
a4b8039ce8c93ab00867ef6b7e888822c09f4369

Affected versions

0.*
0.6.0
0.6.1
0.6.2
1.*
1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
2.*
2.0.0
2.0.0-pre.1
2.0.0-rc.1
2.0.1
2.1.0
2.10.0
2.10.1
2.11.0
2.12.0
2.12.1
2.13.0
2.14.0
2.15.0
2.16.0
2.2.0
2.2.1
2.3.0
2.4.0
2.5.0
2.5.1
2.6.0
2.7.0
2.7.1
2.7.2
2.7.3
2.8.0
2.9.0
2.9.1

Database specific

source 
"https://cna.erlef.org/osv/EEF-CVE-2026-7790.json"