[Pkg-erlang-devel] Bug#1136649: erlang-cowlib: CVE-2026-43970
Salvatore Bonaccorso
carnil at debian.org
Thu May 14 12:41:36 BST 2026
Source: erlang-cowlib
Version: 1.3.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for erlang-cowlib.
CVE-2026-43970[0]:
| Improper Handling of Highly Compressed Data (Data Amplification)
| vulnerability in ninenines cowlib allows unauthenticated remote
| denial of service via memory exhaustion. cow_spdy:inflate/2 in
| cowlib passes peer-supplied compressed bytes directly to
| zlib:inflate/2 with no output size bound. The SPDY header
| compression dictionary (?ZDICT) is public, and zlib compresses long
| runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY
| frame payload can decompress to gigabytes on the BEAM heap, OOM-
| killing the node. A single unauthenticated SPDY frame is sufficient
| to trigger the condition. The parsers for syn_stream, syn_reply, and
| headers frame types are all affected via cow_spdy:parse_headers/2.
| This issue affects cowlib from 0.1.0 before 2.16.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-43970
https://www.cve.org/CVERecord?id=CVE-2026-43970
[1] https://cna.erlef.org/cves/CVE-2026-43970.html
[2] https://osv.dev/vulnerability/EEF-CVE-2026-43970
[3] https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282
Regards,
Salvatore
More information about the Pkg-erlang-devel
mailing list