{"id":"EEF-CVE-2026-8466","summary":"Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy","details":"## Summary\n\nAllocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.\n\ncowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) \u003e Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \\r\\n\\r\\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.\n\nThis issue affects cowboy from 2.0.0 before 2.15.0.\n\n## Configuration\n\nThe application must expose an HTTP endpoint that calls cowboy_req:read_part/1,2 to process multipart/form-data request bodies. Deployments that do not handle multipart uploads are not affected.","aliases":["CVE-2026-8466"],"modified":"2026-05-14T04:30:32.552Z","published":"2026-05-13T18:26:21.089Z","database_specific":{"capec_ids":["CAPEC-130"],"cwe_ids":["CWE-770"],"cpe_ids":["cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*"]},"references":[{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-8466.html"},{"type":"FIX","url":"https://github.com/ninenines/cowboy/commit/5c6a2061b41bb5771c4659fac7d5a822dca5bafb"},{"type":"PACKAGE","url":"https://hex.pm/packages/cowboy"}],"affected":[{"package":{"name":"cowboy","ecosystem":"Hex","purl":"pkg:hex/cowboy"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.0.0"},{"fixed":"2.15.0"}]}],"versions":["2.0.0","2.1.0","2.2.0","2.2.1","2.2.2","2.3.0","2.4.0","2.5.0","2.6.0","2.6.1","2.6.2","2.6.3","2.7.0","2.8.0","2.9.0","2.10.0","2.11.0","2.12.0","2.13.0","2.14.0","2.14.1","2.14.2"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2026-8466.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/ninenines/cowboy","events":[{"introduced":"917cf99e10c41676183d501b86af6e47c95afb89"},{"fixed":"5c6a2061b41bb5771c4659fac7d5a822dca5bafb"}]}],"versions":["0.10.0","1.0.0","2.0.0","2.0.0-pre.1","2.0.0-pre.10","2.0.0-pre.2","2.0.0-pre.3","2.0.0-pre.4","2.0.0-pre.5","2.0.0-pre.6","2.0.0-pre.7","2.0.0-pre.8","2.0.0-pre.9","2.0.0-rc.1","2.0.0-rc.2","2.0.0-rc.3","2.0.0-rc.4","2.1.0","2.10.0","2.11.0","2.12.0","2.13.0","2.14.0","2.14.1","2.14.2","2.2.0","2.2.1","2.2.2","2.3.0","2.4.0","2.5.0","2.6.0","2.6.1","2.6.2","2.6.3","2.7.0","2.8.0","2.9.0"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2026-8466.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Loïc Hoguin","type":"REMEDIATION_DEVELOPER"}]}