CVE-2026-7790
Uncontrolled Resource Consumption in cowlib via Chunked Transfer-Encoding
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ninenines | cowlib | From 0.6.0 (inc) to 2.16.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an unauthenticated remote attacker to cause denial of service through CPU exhaustion and memory amplification by exploiting uncontrolled resource consumption in the chunked transfer-encoding parser.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, denial of service vulnerabilities can impact the availability aspect of these regulations, potentially affecting compliance where system availability is a requirement.
However, there is no direct information provided about how this vulnerability specifically affects compliance with these standards.
Can you explain this vulnerability to me?
The vulnerability in CVE-2026-7790 is an uncontrolled resource consumption issue in the ninenines cowlib library, specifically in the cow_http_te module. The chunked transfer-encoding parser accepts an unlimited number of hexadecimal digits in the chunk-size field of HTTP/1.1 requests. Each hex digit causes a bignum multiplication operation, resulting in quadratic CPU complexity (O(NΒ²)) and linear memory usage (O(N)) for parsing N hex digits.
When the input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, which raises the computational cost to cubic (O(NΒ³)). An unauthenticated remote attacker can exploit this by sending an HTTP request with a very long chunk-size hex string, causing denial of service through CPU exhaustion and memory amplification.
This vulnerability affects cowlib versions from 0.6.0 up to but not including 2.16.1 and is associated with the source file src/cow_http_te.erl and routines cow_http_te:stream_chunked/2 and cow_http_te:chunked_len/4.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an unauthenticated remote attacker to cause a denial of service (DoS) condition on your system. By sending a specially crafted HTTP/1.1 request with a very long chunk-size hex string in the Transfer-Encoding header, the attacker can exhaust CPU resources and amplify memory usage.
The excessive CPU and memory consumption can degrade system performance, potentially making services unavailable to legitimate users and causing outages or crashes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP/1.1 requests for unusually long chunk-size hexadecimal strings in the Transfer-Encoding: chunked header. An attacker exploits the vulnerability by sending requests with very long chunk-size hex strings that cause excessive CPU and memory usage.
To detect potential exploitation attempts on your system or network, you can inspect HTTP traffic for chunked transfer-encoding headers with excessively long chunk-size fields.
Suggested commands to detect suspicious requests include using network packet capture and analysis tools such as tcpdump or Wireshark to filter HTTP requests with Transfer-Encoding: chunked and then examining the chunk-size values.
- Use tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
- Filter captured traffic for 'Transfer-Encoding: chunked' headers and inspect the chunk-size hex strings for abnormal length.
- Use tools like grep or custom scripts on HTTP server logs to find requests with chunked transfer encoding and unusually long chunk-size values.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the affected cowlib library to version 2.16.1 or later, where the vulnerability has been fixed by limiting the maximum number of hexadecimal digits in the chunk-size field to 16.
As a partial mitigation, if you are using Cowboy (which depends on cowlib), you can set the initial_stream_flow_size to a lower value to reduce the impact of the vulnerability, although this does not fully resolve the issue.
Additionally, monitoring and filtering incoming HTTP requests to block or rate-limit requests with suspiciously long chunk-size headers can help reduce the risk of exploitation.