{"id":"CVE-2026-8466","summary":"Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy","details":"Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.\n\ncowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) \u003e Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \\r\\n\\r\\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.\n\nThis issue affects cowboy from 2.0.0 before 2.15.0.","aliases":["EEF-CVE-2026-8466","GHSA-jfc2-q6qh-g5x8"],"modified":"2026-07-08T08:13:52.872889562Z","published":"2026-05-13T18:26:21.089Z","database_specific":{"cna_assigner":"EEF","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8466.json","cwe_ids":["CWE-770"],"unresolved_ranges":[{"extracted_events":[{"introduced":"917cf99e10c41676183d501b86af6e47c95afb89"},{"fixed":"5c6a2061b41bb5771c4659fac7d5a822dca5bafb"}],"source":"AFFECTED_FIELD"}]},"references":[{"type":"WEB","url":"https://github.com"},{"type":"WEB","url":"https://osv.dev/vulnerability/EEF-CVE-2026-8466"},{"type":"WEB","url":"https://repo.hex.pm"},{"type":"ADVISORY","url":"https://cna.erlef.org/cves/CVE-2026-8466.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8466.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8466"},{"type":"FIX","url":"https://github.com/ninenines/cowboy/commit/5c6a2061b41bb5771c4659fac7d5a822dca5bafb"},{"type":"PACKAGE","url":"https://github.com/ninenines/cowboy"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ninenines/cowboy","events":[{"introduced":"d3f15cfd8b2bb4c0c697bd995dfa4546474235ad"},{"fixed":"3b9fb5214d70f1c4707a095c4193214bc12a7c36"},{"fixed":"5c6a2061b41bb5771c4659fac7d5a822dca5bafb"}],"database_specific":{"extracted_events":[{"introduced":"2.0.0"},{"fixed":"2.15.0"}],"source":["DESCRIPTION","REFERENCES"]}}],"versions":["2.14.2","2.14.1","2.14.0","2.13.0","2.12.0","2.11.0","2.10.0","2.9.0","2.8.0","2.7.0","2.6.3","2.6.2","2.6.1","2.6.0","2.5.0","2.4.0","2.3.0","2.2.2","2.2.1","2.2.0","2.1.0","2.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8466.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}