{"id":"CVE-2026-7790","summary":"Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS","details":"Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation.\n\nThe chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.\n\nThis vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4.\n\nThis issue affects cowlib: from 0.6.0 before 2.16.1.","aliases":["EEF-CVE-2026-7790","GHSA-32p9-57cr-4x65"],"modified":"2026-07-08T08:12:41.202210593Z","published":"2026-05-11T18:06:41.490Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7790.json","cwe_ids":["CWE-400"],"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"8c0e428b012c59f553a264f285ed89d36f791e3e"},{"fixed":"a4b8039ce8c93ab00867ef6b7e888822c09f4369"}]}],"cna_assigner":"EEF"},"references":[{"type":"WEB","url":"https://github.com"},{"type":"WEB","url":"https://osv.dev/vulnerability/EEF-CVE-2026-7790"},{"type":"WEB","url":"https://repo.hex.pm"},{"type":"ADVISORY","url":"https://cna.erlef.org/cves/CVE-2026-7790.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7790.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-7790"},{"type":"FIX","url":"https://github.com/ninenines/cowlib/commit/a4b8039ce8c93ab00867ef6b7e888822c09f4369"},{"type":"PACKAGE","url":"https://github.com/ninenines/cowlib"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ninenines/cowlib","events":[{"introduced":"a6626f3b4539b07366034b4953ab2df29e3a9d58"},{"fixed":"bae6b022af54566f3518a3aa59083b4591d552de"},{"fixed":"a4b8039ce8c93ab00867ef6b7e888822c09f4369"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"extracted_events":[{"introduced":"0.6.0"},{"fixed":"2.16.1"}],"cpe":"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"}}],"versions":["2.16.0","2.15.0","2.14.0","2.13.0","2.12.1","2.12.0","2.11.0","2.10.1","2.10.0","2.9.1","2.9.0","2.8.0","2.7.3","2.7.2","2.7.1","2.7.0","2.6.0","2.5.1","2.5.0","2.4.0","2.3.0","2.2.1","2.2.0","2.1.0","2.0.1","2.0.0","2.0.0-rc.1","2.0.0-pre.1","1.0.1","1.3.0","1.2.0","1.1.0","1.0.0","0.6.2","0.6.1","0.6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7790.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}