Home

Description

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame — it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition. This issue affects hackney: from 2.0.0 before 4.0.1.

PUBLISHED Reserved 2026-05-18 | Published 2026-05-25 | Updated 2026-05-27 | Assigner EEF




HIGH: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-400 Uncontrolled Resource Consumption

Product status

Default status
unaffected

2.0.0 (semver) before 4.0.1
affected

Default status
unaffected

0334af206d5099fdf510ed9eda18e34396f065ad (git) before 3d25f9fea26c90609de9d64366fedfe5065413bc
affected

Credits

Peter Ullrich finder

Benoit Chesneau remediation developer

Jonatan Männchen / EEF analyst

References

github.com/...ackney/security/advisories/GHSA-jq4m-q6p2-8gwc exploit

github.com/...ackney/security/advisories/GHSA-jq4m-q6p2-8gwc vendor-advisory related

cna.erlef.org/cves/CVE-2026-47077.html related

osv.dev/vulnerability/EEF-CVE-2026-47077 related

github.com/...ommit/3d25f9fea26c90609de9d64366fedfe5065413bc patch

cve.org (CVE-2026-47077)

nvd.nist.gov (CVE-2026-47077)

Download JSON