Home

Description

Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification. This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4. This issue affects cowlib: from 0.6.0 before 2.16.1.

PUBLISHED Reserved 2026-05-04 | Published 2026-05-11 | Updated 2026-05-11 | Assigner EEF




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-400 Uncontrolled Resource Consumption

Product status

Default status
unaffected

0.6.0 (semver) before 2.16.1
affected

Default status
unaffected

8c0e428b012c59f553a264f285ed89d36f791e3e (git) before a4b8039ce8c93ab00867ef6b7e888822c09f4369
affected

Credits

Peter Ullrich finder

Loïc Hoguin remediation developer

References

cna.erlef.org/cves/CVE-2026-7790.html related third-party-advisory

osv.dev/vulnerability/EEF-CVE-2026-7790 related

github.com/...ommit/a4b8039ce8c93ab00867ef6b7e888822c09f4369 patch

cve.org (CVE-2026-7790)

nvd.nist.gov (CVE-2026-7790)

Download JSON