Source: erlang-cowlib Version: 1.3.0-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for erlang-cowlib. CVE-2026-7790[0]: | Uncontrolled Resource Consumption vulnerability in ninenines cowlib | (cow_http_te module) allows Excessive Allocation. The chunked | transfer-encoding parser in cow_http_te accepts an unbounded number | of hex digits in the chunk-size field. Each digit causes a bignum | multiplication (Len * 16 + digit), so parsing N hex digits requires | O(N²) CPU work and O(N) memory. Additionally, when input is drip- | fed, the parser discards the accumulated length on each partial read | and restarts from zero on resumption, raising the cost to O(N³). An | unauthenticated remote attacker can exploit this by sending an | HTTP/1.1 request with Transfer-Encoding: chunked and a very long | chunk-size hex string to cause denial of service through CPU | exhaustion and memory amplification. This vulnerability is | associated with program file src/cow_http_te.erl and program | routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4. | This issue affects cowlib: from 0.6.0 before 2.16.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-7790 https://www.cve.org/CVERecord?id=CVE-2026-7790 [1] https://cna.erlef.org/cves/CVE-2026-7790.html [2] https://osv.dev/vulnerability/EEF-CVE-2026-7790 [3] https://github.com/ninenines/cowlib/commit/a4b8039ce8c93ab00867ef6b7e888822c09f4369 Regards, Salvatore
