[Pkg-erlang-devel] Bug#1136446: erlang-cowlib: CVE-2026-7790
Salvatore Bonaccorso
carnil at debian.org
Wed May 13 21:43:19 BST 2026
Source: erlang-cowlib
Version: 1.3.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for erlang-cowlib.
CVE-2026-7790[0]:
| Uncontrolled Resource Consumption vulnerability in ninenines cowlib
| (cow_http_te module) allows Excessive Allocation. The chunked
| transfer-encoding parser in cow_http_te accepts an unbounded number
| of hex digits in the chunk-size field. Each digit causes a bignum
| multiplication (Len * 16 + digit), so parsing N hex digits requires
| O(N²) CPU work and O(N) memory. Additionally, when input is drip-
| fed, the parser discards the accumulated length on each partial read
| and restarts from zero on resumption, raising the cost to O(N³). An
| unauthenticated remote attacker can exploit this by sending an
| HTTP/1.1 request with Transfer-Encoding: chunked and a very long
| chunk-size hex string to cause denial of service through CPU
| exhaustion and memory amplification. This vulnerability is
| associated with program file src/cow_http_te.erl and program
| routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4.
| This issue affects cowlib: from 0.6.0 before 2.16.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-7790
https://www.cve.org/CVERecord?id=CVE-2026-7790
[1] https://cna.erlef.org/cves/CVE-2026-7790.html
[2] https://osv.dev/vulnerability/EEF-CVE-2026-7790
[3] https://github.com/ninenines/cowlib/commit/a4b8039ce8c93ab00867ef6b7e888822c09f4369
Regards,
Salvatore
More information about the Pkg-erlang-devel
mailing list