EEF-CVE-2026-8466

See a problem?
Please try reporting it to the source first.
Source
https://cna.erlef.org/osv/EEF-CVE-2026-8466.html
Import Source
https://cna.erlef.org/osv/EEF-CVE-2026-8466.json
JSON Data
https://api.osv.dev/v1/vulns/EEF-CVE-2026-8466
Aliases
  • CVE-2026-8466
Published
2026-05-13T18:26:21.089Z
Modified
2026-05-14T04:30:32.552Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy
Details

Summary

Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.

cowboyreq:readpart/3 in src/cowboyreq.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cowmultipart:parseheaders/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the bytesize(Acc) > Length guard present in the sibling function readpartbody/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.

This issue affects cowboy from 2.0.0 before 2.15.0.

Configuration

The application must expose an HTTP endpoint that calls cowboyreq:readpart/1,2 to process multipart/form-data request bodies. Deployments that do not handle multipart uploads are not affected.

Database specific 
{
    "capec_ids": [
        "CAPEC-130"
    ],
    "cpe_ids": [
        "cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*"
    ],
    "cwe_ids": [
        "CWE-770"
    ]
}
References
Credits
    • Peter Ullrich - FINDER
    • Loïc Hoguin - REMEDIATION_DEVELOPER

Affected packages

Hex / cowboy

Package

Name
cowboy
Purl
pkg:hex/cowboy

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.15.0

Affected versions

2.*
2.0.0
2.1.0
2.2.0
2.2.1
2.2.2
2.3.0
2.4.0
2.5.0
2.6.0
2.6.1
2.6.2
2.6.3
2.7.0
2.8.0
2.9.0
2.10.0
2.11.0
2.12.0
2.13.0
2.14.0
2.14.1
2.14.2

Database specific

source 
"https://cna.erlef.org/osv/EEF-CVE-2026-8466.json"

Git / github.com/ninenines/cowboy

Affected ranges

Type
GIT
Repo
https://github.com/ninenines/cowboy
Events
Introduced
917cf99e10c41676183d501b86af6e47c95afb89
Fixed
5c6a2061b41bb5771c4659fac7d5a822dca5bafb

Affected versions

0.*
0.10.0
1.*
1.0.0
2.*
2.0.0
2.0.0-pre.1
2.0.0-pre.10
2.0.0-pre.2
2.0.0-pre.3
2.0.0-pre.4
2.0.0-pre.5
2.0.0-pre.6
2.0.0-pre.7
2.0.0-pre.8
2.0.0-pre.9
2.0.0-rc.1
2.0.0-rc.2
2.0.0-rc.3
2.0.0-rc.4
2.1.0
2.10.0
2.11.0
2.12.0
2.13.0
2.14.0
2.14.1
2.14.2
2.2.0
2.2.1
2.2.2
2.3.0
2.4.0
2.5.0
2.6.0
2.6.1
2.6.2
2.6.3
2.7.0
2.8.0
2.9.0

Database specific

source 
"https://cna.erlef.org/osv/EEF-CVE-2026-8466.json"