CVE-2026-43973
Received Received - Intake
Uncontrolled Resource Consumption in gun HTTP Server

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: EEF

Description
Uncontrolled Resource Consumption vulnerability in ninenines gun (gun_http module) allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering. In gun_http:handle/5, three clauses accumulate incoming TCP data into the connection's buffer field using binary concatenation with no upper-bound check: the head clause appends data until the \r\n\r\n header terminator is found; the body_chunked clause appends data whenever cow_http_te:stream_chunked/2 returns a more result indicating an incomplete chunk boundary; and the body_trailer clause appends data until the trailing \r\n\r\n is found. In each case, when the expected terminator never arrives, the enlarged binary is stored back into state and the process waits for more data, with no configurable or hard-coded ceiling on buffer size. A malicious or compromised server can exploit this by sending a partial response that never completes. For example, a response may begin with HTTP/1.1 200 OK\r\nX-Pad: followed by an unbounded stream of arbitrary bytes, never sending the header terminator. The gun connection process will continuously append the incoming data to its buffer, causing unbounded heap growth. Because BEAM imposes no per-process heap limit by default, a single malicious connection can exhaust all available memory on the node, causing a node-wide out-of-memory crash. This issue affects gun: from 1.0.0 before 2.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-43973
EUVD
EUVD-2026-35074
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ninenines gun to 2.4.0 (exc)
ninenines gun From 1.0.0 (inc) to 2.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-43973 is an uncontrolled resource consumption vulnerability in the ninenines gun HTTP/1.1 client library, specifically in the gun_http module. The vulnerability arises because the function gun_http:handle/5 accumulates incoming TCP data into a buffer without any upper-bound checks in three scenarios: parsing headers until the header terminator \r\n\r\n is found, handling chunked transfer encoding until an incomplete chunk boundary is resolved, and processing trailers until the trailer terminator \r\n\r\n is found.

If a malicious or compromised server sends a partial HTTP response that never completes (for example, starting a response but never sending the header terminator), the buffer will grow indefinitely as data is continuously appended. Because the BEAM virtual machine does not impose per-process heap limits by default, this unbounded buffer growth can exhaust all available memory on the client node, causing a node-wide out-of-memory crash.

This issue affects gun versions from 1.0.0 before 2.4.0.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition on the client side by exhausting all available memory. A malicious server can exploit the vulnerability by sending an incomplete HTTP response that causes the client's buffer to grow without limit, eventually causing the entire node running the gun client to crash due to out-of-memory.

Such a crash can disrupt services relying on the gun HTTP client, leading to downtime, loss of availability, and potential cascading failures in systems depending on the affected node.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high memory usage by the gun HTTP client process, which may indicate unbounded buffer growth caused by a malicious or compromised server sending incomplete HTTP/1.1 responses.

Since the vulnerability involves unbounded buffering of HTTP response data, you can look for gun client processes consuming excessive memory or hanging connections waiting for response terminators.

Specific commands to detect this condition might include:

  • Using system tools like `top` or `htop` to identify processes with high memory usage.
  • Using `lsof` or `netstat` to identify open TCP connections to suspicious or untrusted servers.
  • Using Erlang observer or process inspection tools to monitor the memory usage of gun connection processes.
  • Checking logs or metrics for repeated or long-lived HTTP connections without complete responses.
Mitigation Strategies

To mitigate this vulnerability, upgrade the gun HTTP client library to version 2.4.0 or later, where the issue is fixed.

The fix introduces configurable options `max_header_block_size` and `max_trailer_block_size` that impose soft limits on the maximum size of response header and trailer blocks, preventing unbounded buffer growth.

By setting these options, the gun client will close connections that exceed these limits with a `limit_reached` error, protecting against memory exhaustion attacks.

Until you can upgrade, consider monitoring and limiting memory usage of gun processes and restricting connections to trusted servers only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43973. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart