Home

Description

Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion. Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. For HTTP/2 connections, cowlib passes the client-supplied :scheme pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique :scheme values, causing the Erlang VM to abort with system_limit and taking down the entire node. This vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header. This issue affects plug_cowboy: from 2.0.0 before 2.8.1.

PUBLISHED Reserved 2026-03-13 | Published 2026-04-27 | Updated 2026-04-28 | Assigner EEF




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-770 Allocation of Resources Without Limits or Throttling

Product status

Default status
unaffected

2.0.0 (semver) before 2.8.1
affected

Default status
unaffected

12ecfd024bb179d48b018fecf074e43fe6a19c83 (git) before bfb34cb45eb354e56437f7023fb306de1bf9c19b
affected

Credits

Peter Ullrich finder

References

github.com/...cowboy/security/advisories/GHSA-q8x4-x7mp-5vg2 vendor-advisory related

cna.erlef.org/cves/CVE-2026-32688.html related

osv.dev/vulnerability/EEF-CVE-2026-32688 related

github.com/...ommit/bfb34cb45eb354e56437f7023fb306de1bf9c19b patch

cve.org (CVE-2026-32688)

nvd.nist.gov (CVE-2026-32688)

Download JSON