CVE-2026-7790

HIGH EPSS 34.5%
Published May 11, 20261mo ago · Modified Jun 17, 20262w ago
8.7 CVSS 4.0
High
Find Similar
Published May 11, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification. This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4. This issue affects cowlib: from 0.6.0 before 2.16.1.

CVSS Details

Base Score
8.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
34.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-400 Uncontrolled Resource Consumption Resource Mgmt

Affected Products 1

VendorProductVersionRange
nineninescowlib*≥0.6.0  –  <2.16.1

References 3

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-7790.html
    Third Party Advisory
  • github.com https://github.com/ninenines/cowlib/commit/a4b8039ce8c93ab00867ef6b7e888822c09f4369
    Patch
  • osv.dev https://osv.dev/vulnerability/EEF-CVE-2026-7790
    Third Party Advisory

Remediation

  • github.com https://github.com/ninenines/cowlib/commit/a4b8039ce8c93ab00867ef6b7e888822c09f4369
    Patch