CVE-2026-47077
Allocation of Resources Without Limits or Throttling in hackney
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| benoitc | hackney | From 2.0.0 (inc) to 4.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Allocation of Resources Without Limits or Throttling issue in the benoitc hackney library, specifically in the hackney_h3:await_response_loop/6 function. The function accumulates the HTTP/3 response body in memory without any size limit. A malicious HTTP/3 server can exploit this by sending small chunks of data just before the timeout expires, keeping the loop alive indefinitely without sending a final frame. This causes the accumulation buffer to grow continuously, eventually exhausting the memory of the BEAM process and causing an out-of-memory condition.
How can this vulnerability impact me? :
The impact of this vulnerability is that a malicious HTTP/3 server can cause a denial of service by exhausting the memory of the affected process. This happens because the vulnerable function accumulates response data without limits, leading to an out-of-memory condition that can crash or severely degrade the performance of applications using the affected hackney versions.