[Pkg-erlang-devel] Bug#1137525: erlang-cowboy: CVE-2026-8466

Salvatore Bonaccorso carnil at debian.org
Sun May 24 20:14:47 BST 2026 

Source: erlang-cowboy
Version: 2.0.0~pre.1+dfsg1-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for erlang-cowboy.

Note I'm not entirely certain that the pre.1 version a well contains
already the issue, but in the ideal case in the occurence that
erlang-cowboy ever get migrated to testing, then it should as well be
updated to at least 2.15.0 which contains this fix.

CVE-2026-8466[0]:
| Allocation of Resources Without Limits or Throttling vulnerability
| in ninenines cowboy allows denial of service via unbounded buffer
| accumulation in multipart header parsing.  cowboy_req:read_part/3 in
| src/cowboy_req.erl accumulates incoming request bytes into a Buffer
| binary with no upper-bound check. When cow_multipart:parse_headers/2
| returns more or {more, Buffer2}, the function reads up to Length
| bytes (default 64 KB) from the request body and recurses with the
| enlarged buffer. There is no equivalent of the byte_size(Acc) >
| Length guard present in the sibling function read_part_body/4. An
| unauthenticated attacker can send a multipart/form-data request
| whose body never yields a complete header section — for example, a
| body that never contains the advertised boundary delimiter, or one
| whose header lines never contain \r\n\r\n — and force the server
| process to accumulate memory linearly with the bytes the protocol
| layer is willing to deliver. A handful of concurrent such uploads is
| sufficient to exhaust BEAM memory.  This issue affects cowboy from
| 2.0.0 before 2.15.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-8466
    https://www.cve.org/CVERecord?id=CVE-2026-8466
[1] https://cna.erlef.org/cves/CVE-2026-8466.html
[2] https://osv.dev/vulnerability/EEF-CVE-2026-8466

Regards,
Salvatore

More information about the Pkg-erlang-devel mailing list