GHSA-q8x4-x7mp-5vg2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q8x4-x7mp-5vg2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-q8x4-x7mp-5vg2/GHSA-q8x4-x7mp-5vg2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q8x4-x7mp-5vg2
- Aliases
-
- CVE-2026-32688
- EEF-CVE-2026-32688
- Published
- 2026-05-05T21:46:09Z
- Modified
- 2026-05-05T22:14:10.498322Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Plug.Cowboy vulnerable to unauthenticated remote DoS via HTTP/2 `:scheme` atom-table exhaustion
- Details
-
Summary
An unauthenticated remote denial-of-service vulnerability in
Plug.Cowboy.Connallows any attacker who can reach an HTTPS Plug.Cowboy listener via HTTP/2 to permanently exhaust the BEAM atom table and crash the entire Erlang VM.Am I Affected?
All users running plug_cowboy with HTTP/2 may be affected, this includes Phoenix applications. If another HTTP adapter such as Bandit is used, then the consuming project is not affected. If the HTTP/2 endpoint is exposed directly (without a proxy) then the project will be affected. If a proxy is in use then it depends on the proxy configuration. Many proxies use HTTP/1.1 internally, and would be unaffected.
Impact
The vulnerability will allow crashing the Erlang VM (BEAM) via atom exhaustion.
Mitigation
Users are advised to update to plug_cowboy v2.8.1 to mitigate this issue.
Credits
Plug.Cowboy thanks Peter Ullrich for finding and responsibly disclosing this vulnerability.
- Database specific
{ "github_reviewed": true, "severity": "HIGH", "github_reviewed_at": "2026-05-05T21:46:09Z", "nvd_published_at": "2026-04-27T14:16:47Z", "cwe_ids": [ "CWE-770" ] }- References
-
- https://github.com/elixir-plug/plug_cowboy/security/advisories/GHSA-q8x4-x7mp-5vg2
- https://nvd.nist.gov/vuln/detail/CVE-2026-32688
- https://github.com/elixir-plug/plug_cowboy/commit/bfb34cb45eb354e56437f7023fb306de1bf9c19b
- https://cna.erlef.org/cves/CVE-2026-32688.html
- https://github.com/elixir-plug/plug_cowboy
- https://osv.dev/vulnerability/EEF-CVE-2026-32688
Affected packages
Hex / plug_cowboy
Package
- Name
- plug_cowboy
- Purl
- pkg:hex/plug_cowboy