{"id":"CVE-2026-32688","summary":"Atom table exhaustion via HTTP/2 :scheme pseudo-header in plug_cowboy","details":"Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion.\n\nPlug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. For HTTP/2 connections, cowlib passes the client-supplied :scheme pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique :scheme values, causing the Erlang VM to abort with system_limit and taking down the entire node.\n\nThis vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header.\n\nThis issue affects plug_cowboy: from 2.0.0 before 2.8.1.","aliases":["EEF-CVE-2026-32688","GHSA-q8x4-x7mp-5vg2"],"modified":"2026-07-08T08:12:58.604425854Z","published":"2026-04-27T13:45:35.160Z","database_specific":{"cna_assigner":"EEF","cwe_ids":["CWE-770"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32688.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"12ecfd024bb179d48b018fecf074e43fe6a19c83"},{"fixed":"bfb34cb45eb354e56437f7023fb306de1bf9c19b"}]}]},"references":[{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-32688.html"},{"type":"WEB","url":"https://github.com"},{"type":"WEB","url":"https://osv.dev/vulnerability/EEF-CVE-2026-32688"},{"type":"WEB","url":"https://repo.hex.pm"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32688.json"},{"type":"ADVISORY","url":"https://github.com/elixir-plug/plug_cowboy/security/advisories/GHSA-q8x4-x7mp-5vg2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32688"},{"type":"FIX","url":"https://github.com/elixir-plug/plug_cowboy/commit/bfb34cb45eb354e56437f7023fb306de1bf9c19b"},{"type":"PACKAGE","url":"https://github.com/elixir-plug/plug_cowboy"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elixir-plug/plug_cowboy","events":[{"introduced":"8d60f2912743834b48544e6fd1f01f832d660cb1"},{"fixed":"fd0841f4ef974b95a5050a2b5959585c56fb3776"},{"fixed":"bfb34cb45eb354e56437f7023fb306de1bf9c19b"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:elixir-plug:plug.cowboy:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"2.0.0"},{"fixed":"2.8.1"}]}}],"versions":["v2.8.0","v2.7.5","v2.7.4","v2.7.3","v2.7.2","v2.7.1","v2.7.0","v2.6.2","v2.6.1","v2.6.0","v2.5.2","v2.5.1","v2.5.0","v2.4.0","v2.3.0","v2.2.2","v2.2.1","v2.2.0","v2.1.2","v2.1.1","v2.1.0","v2.0.2","v2.0.1","v2.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32688.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}