{"id":"EEF-CVE-2026-43970","summary":"Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame","details":"## Summary\n\nImproper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.\n\ncow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.\n\nThis issue affects cowlib from 0.1.0 before 2.16.1.\n\n## Configuration\n\nThe application must use cow_spdy:parse/2 to parse SPDY frames from an untrusted peer. cowboy itself does not use cow_spdy; only direct callers of the cow_spdy API are affected.","aliases":["CVE-2026-43970","GHSA-84f2-rp86-235p"],"modified":"2026-05-19T20:26:01.036608498Z","published":"2026-05-13T18:43:11.640Z","database_specific":{"cpe_ids":["cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"],"capec_ids":["CAPEC-130"],"cwe_ids":["CWE-409"]},"references":[{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-43970.html"},{"type":"FIX","url":"https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282"},{"type":"PACKAGE","url":"https://hex.pm/packages/cowlib"}],"affected":[{"package":{"name":"cowlib","ecosystem":"Hex","purl":"pkg:hex/cowlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.1.0"},{"fixed":"2.16.1"}]}],"versions":["1.0.0","1.0.1","1.0.2","1.1.0","1.2.0","1.3.0","2.0.0","2.0.1","2.1.0","2.2.0","2.2.1","2.3.0","2.4.0","2.5.0","2.5.1","2.6.0","2.7.0","2.7.1","2.7.2","2.7.3","2.8.0","2.9.0","2.9.1","2.10.0","2.10.1","2.11.0","2.12.0","2.12.1","2.13.0","2.14.0","2.15.0","2.16.0"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2026-43970.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/ninenines/cowlib","events":[{"introduced":"fad5c0049df278cc498b6cdb519b09e845a070a8"},{"fixed":"16aad3fb9f81f5cda4d1706ff0c54237c619c282"}]}],"versions":["0.1.0","0.2.0","0.3.0","0.4.0","0.5.0","0.5.1","0.6.0","0.6.1","0.6.2","1.0.0","1.0.1","1.1.0","1.2.0","1.3.0","2.0.0","2.0.0-pre.1","2.0.0-rc.1","2.0.1","2.1.0","2.10.0","2.10.1","2.11.0","2.12.0","2.12.1","2.13.0","2.14.0","2.15.0","2.16.0","2.2.0","2.2.1","2.3.0","2.4.0","2.5.0","2.5.1","2.6.0","2.7.0","2.7.1","2.7.2","2.7.3","2.8.0","2.9.0","2.9.1"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2026-43970.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Loïc Hoguin","type":"REMEDIATION_DEVELOPER"}]}