CVE-2026-47066

HIGH EPSS 48.6%
Published May 25, 20261mo ago · Modified Jun 17, 20262w ago
8.7 CVSS 4.0
High
Find Similar
Published May 25, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 receives a non-token, non-whitespace, non-comma byte (e.g. !, @, =, ;), it returns the input unchanged. skip_comma/1 also returns the buffer unchanged when the first byte is not a comma. parse_entries/2 then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. The calling process never returns. The entry point parse_and_cache/3 is called synchronously in the connection process on every HTTP response. A single-byte Alt-Svc: ! response header is sufficient to trigger the hang; the header is fully controlled by any HTTP origin the client connects to. This issue affects hackney: from 2.0.0-beta.1 before 4.0.1.

CVSS Details

Base Score
8.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
48.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-835

Affected Products 1

VendorProductVersionRange
benoitchackney*≥2.0.0  –  <4.0.1

References 4

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-47066.html
    PatchThird Party Advisory
  • github.com https://github.com/benoitc/hackney/commit/e548aba1f97ffa3f4750da7b772998fb78c01894
    Patch
  • github.com https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j
    ExploitPatchVendor Advisory
  • osv.dev https://osv.dev/vulnerability/EEF-CVE-2026-47066
    PatchThird Party Advisory

Remediation

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-47066.html
    PatchThird Party Advisory
  • github.com https://github.com/benoitc/hackney/commit/e548aba1f97ffa3f4750da7b772998fb78c01894
    Patch
  • github.com https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j
    ExploitPatchVendor Advisory
  • osv.dev https://osv.dev/vulnerability/EEF-CVE-2026-47066
    PatchThird Party Advisory