CVE-2026-8468 – Unbounded buffer accumulation in multipart header parsing causes denial of service in plug

CVE ID :CVE-2026-8468

Published : May 14, 2026, 10:29 a.m. | 28 minutes ago

Description :Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.

plug_multipart in src/plug_multipart.erl is a fork of the cow_multipart module from ninenines cowboy (CVE-2026-8466). The same unbounded accumulation pattern is present in ‘Elixir.Plug.Conn’:read_part_headers/2 in lib/plug/conn.ex: it accumulates incoming request bytes into a growing binary with no upper-bound check. When plug_multipart:parse_headers/2 returns more or {more, Buffer}, the function reads up to 64 KB from the underlying socket and recurses with the enlarged buffer. There is no equivalent of the byte_size(acc) > length guard present in the sibling function read_part_body/8. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain rnrn — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.

This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.

Severity: 8.2 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-45205 – Apache Commons Configuration: StackOverflowError for YAML input with cycles

CVE-2025-68420 – Privilege Escalation in Comarch ERP Optima

CVE-2025-68421 – Hardcoded credentials in Comarch ERP Optima

CVE-2026-8295 – Integer overflow in simdjson