CVE-2026-7790
Undergoing Analysis Undergoing Analysis - In Progress
Uncontrolled Resource Consumption in cowlib via Chunked Transfer-Encoding

Publication date: 2026-05-11

Last updated on: 2026-05-22

Assigner: EEF

Description
Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(NΒ²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(NΒ³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification. This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4. This issue affects cowlib: from 0.6.0 before 2.16.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-22
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-7790
EUVD
EUVD-2026-29200
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ninenines cowlib From 0.6.0 (inc) to 2.16.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an unauthenticated remote attacker to cause denial of service through CPU exhaustion and memory amplification by exploiting uncontrolled resource consumption in the chunked transfer-encoding parser.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, denial of service vulnerabilities can impact the availability aspect of these regulations, potentially affecting compliance where system availability is a requirement.

However, there is no direct information provided about how this vulnerability specifically affects compliance with these standards.

Executive Summary

The vulnerability in CVE-2026-7790 is an uncontrolled resource consumption issue in the ninenines cowlib library, specifically in the cow_http_te module. The chunked transfer-encoding parser accepts an unlimited number of hexadecimal digits in the chunk-size field of HTTP/1.1 requests. Each hex digit causes a bignum multiplication operation, resulting in quadratic CPU complexity (O(NΒ²)) and linear memory usage (O(N)) for parsing N hex digits.

When the input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, which raises the computational cost to cubic (O(NΒ³)). An unauthenticated remote attacker can exploit this by sending an HTTP request with a very long chunk-size hex string, causing denial of service through CPU exhaustion and memory amplification.

This vulnerability affects cowlib versions from 0.6.0 up to but not including 2.16.1 and is associated with the source file src/cow_http_te.erl and routines cow_http_te:stream_chunked/2 and cow_http_te:chunked_len/4.

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated remote attacker to cause a denial of service (DoS) condition on your system. By sending a specially crafted HTTP/1.1 request with a very long chunk-size hex string in the Transfer-Encoding header, the attacker can exhaust CPU resources and amplify memory usage.

The excessive CPU and memory consumption can degrade system performance, potentially making services unavailable to legitimate users and causing outages or crashes.

Detection Guidance

This vulnerability can be detected by monitoring HTTP/1.1 requests for unusually long chunk-size hexadecimal strings in the Transfer-Encoding: chunked header. An attacker exploits the vulnerability by sending requests with very long chunk-size hex strings that cause excessive CPU and memory usage.

To detect potential exploitation attempts on your system or network, you can inspect HTTP traffic for chunked transfer-encoding headers with excessively long chunk-size fields.

Suggested commands to detect suspicious requests include using network packet capture and analysis tools such as tcpdump or Wireshark to filter HTTP requests with Transfer-Encoding: chunked and then examining the chunk-size values.

  • Use tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Filter captured traffic for 'Transfer-Encoding: chunked' headers and inspect the chunk-size hex strings for abnormal length.
  • Use tools like grep or custom scripts on HTTP server logs to find requests with chunked transfer encoding and unusually long chunk-size values.
Mitigation Strategies

Immediate mitigation involves updating the affected cowlib library to version 2.16.1 or later, where the vulnerability has been fixed by limiting the maximum number of hexadecimal digits in the chunk-size field to 16.

As a partial mitigation, if you are using Cowboy (which depends on cowlib), you can set the initial_stream_flow_size to a lower value to reduce the impact of the vulnerability, although this does not fully resolve the issue.

Additionally, monitoring and filtering incoming HTTP requests to block or rate-limit requests with suspiciously long chunk-size headers can help reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7790. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart