CVE-2026-47066
BaseFortify
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| benoitc | hackney | From 2.0.0-beta.1 (inc) to 4.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes a tight infinite tail-recursive loop that pins a scheduler at 100% CPU when processing certain Alt-Svc response headers. Detection can focus on monitoring for unusually high CPU usage in processes using the hackney library versions from 2.0.0-beta.1 before 4.0.1.
Specifically, look for processes stuck at 100% CPU during HTTP response handling, especially when Alt-Svc headers contain unexpected characters like '!'.
While no specific commands are provided, general system monitoring commands such as 'top' or 'htop' on Linux can help identify processes with high CPU usage.
Additionally, network traffic inspection tools can be used to capture HTTP responses and check for Alt-Svc headers containing unusual characters that could trigger the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the hackney library to version 4.0.1 or later, where this vulnerability is fixed.
Until an update can be applied, avoid connecting to HTTP origins that send suspicious Alt-Svc headers containing non-token, non-whitespace, non-comma bytes such as '!', '@', '=', or ';'.
Monitoring and limiting HTTP responses with malformed Alt-Svc headers can reduce the risk of triggering the infinite loop.
Can you explain this vulnerability to me?
This vulnerability is an infinite loop issue in the benoitc hackney library, specifically in the Alt-Svc response header parser located in src/hackney_altsvc.erl. When the parser encounters certain unexpected characters (such as !, @, =, ;) in the Alt-Svc header, it fails to make forward progress and repeatedly processes the same data. This causes a tight infinite tail-recursive loop that pins a scheduler at 100% CPU usage, effectively hanging the calling process.
The problem arises because functions parse_token/2 and skip_comma/1 return the input unchanged when they encounter unexpected bytes, leading parse_entries/2 to recurse indefinitely with identical data. This infinite loop can be triggered by a single-byte Alt-Svc header controlled by any HTTP origin the client connects to.
This affects hackney versions from 2.0.0-beta.1 up to but not including 4.0.1.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service condition by causing the affected process to hang and consume 100% CPU indefinitely. Since the infinite loop occurs in the HTTP response processing, an attacker controlling an HTTP origin can trigger this by sending a specially crafted Alt-Svc header.
The impact is that the client application using the vulnerable hackney library may become unresponsive or degraded in performance, potentially affecting availability and reliability of services relying on it.