{"id":"CVE-2026-43970","summary":"Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame","details":"Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.\n\ncow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.\n\nThis issue affects cowlib from 0.1.0 before 2.16.1.","aliases":["EEF-CVE-2026-43970","GHSA-84f2-rp86-235p"],"modified":"2026-07-08T08:13:29.452986877Z","published":"2026-05-13T18:43:11.640Z","database_specific":{"cwe_ids":["CWE-409"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43970.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"fad5c0049df278cc498b6cdb519b09e845a070a8"},{"fixed":"16aad3fb9f81f5cda4d1706ff0c54237c619c282"}]}],"cna_assigner":"EEF"},"references":[{"type":"WEB","url":"https://github.com"},{"type":"WEB","url":"https://osv.dev/vulnerability/EEF-CVE-2026-43970"},{"type":"WEB","url":"https://repo.hex.pm"},{"type":"ADVISORY","url":"https://cna.erlef.org/cves/CVE-2026-43970.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43970.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43970"},{"type":"FIX","url":"https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282"},{"type":"PACKAGE","url":"https://github.com/ninenines/cowlib"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ninenines/cowlib","events":[{"introduced":"2f35af5b0a67f591dde5ae4305a9587988a37c0c"},{"fixed":"bae6b022af54566f3518a3aa59083b4591d552de"},{"fixed":"16aad3fb9f81f5cda4d1706ff0c54237c619c282"}],"database_specific":{"extracted_events":[{"introduced":"0.1.0"},{"fixed":"2.16.1"}],"source":["DESCRIPTION","REFERENCES"]}}],"versions":["2.16.0","2.15.0","2.14.0","2.13.0","2.12.1","2.12.0","2.11.0","2.10.1","2.10.0","2.9.1","2.9.0","2.8.0","2.7.3","2.7.2","2.7.1","2.7.0","2.6.0","2.5.1","2.5.0","2.4.0","2.3.0","2.2.1","2.2.0","2.1.0","2.0.1","2.0.0","2.0.0-rc.1","2.0.0-pre.1","1.0.1","1.3.0","1.2.0","1.1.0","1.0.0","0.6.2","0.6.1","0.6.0","0.5.1","0.5.0","0.4.0","0.3.0","0.2.0","0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43970.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}