CVE-2026-47066
Analyzed Analyzed - Analysis Complete
Infinite Loop in Hackney Alt-Svc Header Parser

Publication date: 2026-05-25

Last updated on: 2026-05-27

Assigner: EEF

Description
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 receives a non-token, non-whitespace, non-comma byte (e.g. !, @, =, ;), it returns the input unchanged. skip_comma/1 also returns the buffer unchanged when the first byte is not a comma. parse_entries/2 then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. The calling process never returns. The entry point parse_and_cache/3 is called synchronously in the connection process on every HTTP response. A single-byte Alt-Svc: ! response header is sufficient to trigger the hang; the header is fully controlled by any HTTP origin the client connects to. This issue affects hackney: from 2.0.0-beta.1 before 4.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-25
Last Modified
2026-05-27
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-47066
EUVD
EUVD-2026-31686
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
benoitc hackney From 2.0.0 (inc) to 4.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an infinite loop issue in the benoitc hackney library, specifically in the Alt-Svc response header parser located in src/hackney_altsvc.erl. When the parser encounters certain unexpected characters (such as !, @, =, ;) in the Alt-Svc header, it fails to make forward progress and repeatedly processes the same data. This causes a tight infinite tail-recursive loop that pins a scheduler at 100% CPU usage, effectively hanging the calling process.

The problem arises because functions parse_token/2 and skip_comma/1 return the input unchanged when they encounter unexpected bytes, leading parse_entries/2 to recurse indefinitely with identical data. This infinite loop can be triggered by a single-byte Alt-Svc header controlled by any HTTP origin the client connects to.

This affects hackney versions from 2.0.0-beta.1 up to but not including 4.0.1.

Impact Analysis

This vulnerability can cause a denial of service condition by causing the affected process to hang and consume 100% CPU indefinitely. Since the infinite loop occurs in the HTTP response processing, an attacker controlling an HTTP origin can trigger this by sending a specially crafted Alt-Svc header.

The impact is that the client application using the vulnerable hackney library may become unresponsive or degraded in performance, potentially affecting availability and reliability of services relying on it.

Detection Guidance

This vulnerability causes a tight infinite tail-recursive loop that pins a scheduler at 100% CPU when processing certain Alt-Svc response headers. Detection can focus on monitoring for unusually high CPU usage in processes using the hackney library versions from 2.0.0-beta.1 before 4.0.1.

Specifically, look for processes stuck at 100% CPU during HTTP response handling, especially when Alt-Svc headers contain unexpected characters like '!'.

While no specific commands are provided, general system monitoring commands such as 'top' or 'htop' on Linux can help identify processes with high CPU usage.

Additionally, network traffic inspection tools can be used to capture HTTP responses and check for Alt-Svc headers containing unusual characters that could trigger the vulnerability.

Mitigation Strategies

Immediate mitigation involves updating the hackney library to version 4.0.1 or later, where this vulnerability is fixed.

Until an update can be applied, avoid connecting to HTTP origins that send suspicious Alt-Svc headers containing non-token, non-whitespace, non-comma bytes such as '!', '@', '=', or ';'.

Monitoring and limiting HTTP responses with malformed Alt-Svc headers can reduce the risk of triggering the infinite loop.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-47066 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47066. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart