CVE-2026-8466 – Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy

CVE ID :CVE-2026-8466

Published : May 13, 2026, 6:26 p.m. | 31 minutes ago

Description :Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.

cowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain rnrn — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.

This issue affects cowboy from 2.0.0 before 2.15.0.

Severity: 8.2 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-0239 – Chronosphere Chronocollector Information Disclosure Vulnerability

CVE-2026-0250 – GlobalProtect App: Buffer Overflow Vulnerability during connection to Portal or Gateway

CVE-2026-44248 – Netty: Resource exhaustion in MqttDecoder

CVE-2026-42587 – Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS