CVE-2026-43970
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.
cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.
This issue affects cowlib from 0.1.0 before 2.16.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ninenines | cowlib | 0.1.0 < 2.16.1 | affected |
| ninenines | cowlib | fad5c0049df278cc498b6cdb519b09e845a070a8 < 16aad3fb9f81f5cda4d1706ff0c54237c619c282 | affected |
Weaknesses
- CWE-409: CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://cna.erlef.org/cves/CVE-2026-43970.html
- https://osv.dev/vulnerability/EEF-CVE-2026-43970
- https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.