{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7790", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-05-04T18:23:21.380Z", "datePublished": "2026-05-11T18:06:41.490Z", "dateUpdated": "2026-05-11T18:56:31.426Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://hex.pm", "cpes": ["cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["cow_http_te"], "packageName": "cowlib", "packageURL": "pkg:hex/cowlib", "product": "cowlib", "programFiles": ["src/cow_http_te.erl"], "programRoutines": [{"name": "cow_http_te:stream_chunked/2"}, {"name": "cow_http_te:chunked_len/4"}], "repo": "https://github.com/ninenines/cowlib", "vendor": "ninenines", "versions": [{"lessThan": "2.16.1", "status": "affected", "version": "0.6.0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["cow_http_te"], "packageName": "ninenines/cowlib", "packageURL": "pkg:github/ninenines/cowlib", "product": "cowlib", "programFiles": ["src/cow_http_te.erl"], "programRoutines": [{"name": "cow_http_te:stream_chunked/2"}, {"name": "cow_http_te:chunked_len/4"}], "repo": "https://github.com/ninenines/cowlib", "vendor": "ninenines", "versions": [{"lessThan": "a4b8039ce8c93ab00867ef6b7e888822c09f4369", "status": "affected", "version": "8c0e428b012c59f553a264f285ed89d36f791e3e", "versionType": "git"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.16.1", "versionStartIncluding": "0.6.0", "vulnerable": true}], "negate": false, "operator": "AND"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Ullrich"}, {"lang": "en", "type": "remediation developer", "value": "Lo\u00efc Hoguin"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation.<p>The chunked transfer-encoding parser in <tt>cow_http_te</tt> accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (<tt>Len * 16 + digit</tt>), so parsing <tt>N</tt> hex digits requires O(N\u00b2) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N\u00b3). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with <tt>Transfer-Encoding: chunked</tt> and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.</p><p>This vulnerability is associated with program file <tt>src/cow_http_te.erl</tt> and program routines <tt>cow_http_te:stream_chunked/2</tt>, <tt>cow_http_te:chunked_len/4</tt>.</p><p>This issue affects cowlib: from 0.6.0 before 2.16.1.</p>"}], "value": "Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation.\n\nThe chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N\u00b2) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N\u00b3). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.\n\nThis vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4.\n\nThis issue affects cowlib: from 0.6.0 before 2.16.1."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV4_0": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-05-11T18:06:41.490Z"}, "references": [{"tags": ["related", "third-party-advisory"], "url": "https://cna.erlef.org/cves/CVE-2026-7790.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-7790"}, {"tags": ["patch"], "url": "https://github.com/ninenines/cowlib/commit/a4b8039ce8c93ab00867ef6b7e888822c09f4369"}], "source": {"discovery": "EXTERNAL"}, "title": "Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In Cowboy, setting <tt>initial_stream_flow_size</tt> to a much lower value limits the amount of chunked body data that cowlib will parse in a single read, reducing the window of data an attacker can use to trigger the quadratic work. This does not fully eliminate the vulnerability but can significantly reduce its impact for some applications.</p>"}], "value": "In Cowboy, setting initial_stream_flow_size to a much lower value limits the amount of chunked body data that cowlib will parse in a single read, reducing the window of data an attacker can use to trigger the quadratic work. This does not fully eliminate the vulnerability but can significantly reduce its impact for some applications."}], "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-11T18:56:19.590262Z", "id": "CVE-2026-7790", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-11T18:56:31.426Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7790", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-05-04T18:23:21.380Z", "datePublished": "2026-05-11T18:06:41.490Z", "dateUpdated": "2026-05-11T18:56:31.426Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://hex.pm", "cpes": ["cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["cow_http_te"], "packageName": "cowlib", "packageURL": "pkg:hex/cowlib", "product": "cowlib", "programFiles": ["src/cow_http_te.erl"], "programRoutines": [{"name": "cow_http_te:stream_chunked/2"}, {"name": "cow_http_te:chunked_len/4"}], "repo": "https://github.com/ninenines/cowlib", "vendor": "ninenines", "versions": [{"lessThan": "2.16.1", "status": "affected", "version": "0.6.0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["cow_http_te"], "packageName": "ninenines/cowlib", "packageURL": "pkg:github/ninenines/cowlib", "product": "cowlib", "programFiles": ["src/cow_http_te.erl"], "programRoutines": [{"name": "cow_http_te:stream_chunked/2"}, {"name": "cow_http_te:chunked_len/4"}], "repo": "https://github.com/ninenines/cowlib", "vendor": "ninenines", "versions": [{"lessThan": "a4b8039ce8c93ab00867ef6b7e888822c09f4369", "status": "affected", "version": "8c0e428b012c59f553a264f285ed89d36f791e3e", "versionType": "git"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.16.1", "versionStartIncluding": "0.6.0", "vulnerable": true}], "negate": false, "operator": "AND"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Ullrich"}, {"lang": "en", "type": "remediation developer", "value": "Lo\u00efc Hoguin"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation.<p>The chunked transfer-encoding parser in <tt>cow_http_te</tt> accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (<tt>Len * 16 + digit</tt>), so parsing <tt>N</tt> hex digits requires O(N\u00b2) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N\u00b3). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with <tt>Transfer-Encoding: chunked</tt> and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.</p><p>This vulnerability is associated with program file <tt>src/cow_http_te.erl</tt> and program routines <tt>cow_http_te:stream_chunked/2</tt>, <tt>cow_http_te:chunked_len/4</tt>.</p><p>This issue affects cowlib: from 0.6.0 before 2.16.1.</p>"}], "value": "Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation.\n\nThe chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N\u00b2) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N\u00b3). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.\n\nThis vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4.\n\nThis issue affects cowlib: from 0.6.0 before 2.16.1."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV4_0": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-05-11T18:06:41.490Z"}, "references": [{"tags": ["related", "third-party-advisory"], "url": "https://cna.erlef.org/cves/CVE-2026-7790.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-7790"}, {"tags": ["patch"], "url": "https://github.com/ninenines/cowlib/commit/a4b8039ce8c93ab00867ef6b7e888822c09f4369"}], "source": {"discovery": "EXTERNAL"}, "title": "Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In Cowboy, setting <tt>initial_stream_flow_size</tt> to a much lower value limits the amount of chunked body data that cowlib will parse in a single read, reducing the window of data an attacker can use to trigger the quadratic work. This does not fully eliminate the vulnerability but can significantly reduce its impact for some applications.</p>"}], "value": "In Cowboy, setting initial_stream_flow_size to a much lower value limits the amount of chunked body data that cowlib will parse in a single read, reducing the window of data an attacker can use to trigger the quadratic work. This does not fully eliminate the vulnerability but can significantly reduce its impact for some applications."}], "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7790", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-11T18:56:19.590262Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-11T18:56:27.213Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation.\n\nThe chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N\u00b2) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N\u00b3). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.\n\nThis vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4.\n\nThis issue affects cowlib: from 0.6.0 before 2.16.1."}], "id": "CVE-2026-7790", "lastModified": "2026-05-11T19:16:29.477", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2026-05-11T19:16:29.477", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2026-7790.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/ninenines/cowlib/commit/a4b8039ce8c93ab00867ef6b7e888822c09f4369"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://osv.dev/vulnerability/EEF-CVE-2026-7790"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

{}