CVE-2026-43970

Published: Mag 13, 2026 Last Modified: Mag 14, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,2
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.

cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.

This issue affects cowlib from 0.1.0 before 2.16.1.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0014
Percentile
0,3th
Updated

EPSS Score Trend (Last 7 Days)

409

Improper Handling of Highly Compressed Data (Data Amplification)

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Availability
Potential Impacts:
Dos: Amplification Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory)
Applicable Platforms
All platforms may be affected
View CWE Details
https://cna.erlef.org/cves/CVE-2026-43970.html
https://cna.erlef.org/cves/CVE-2026-43970.html
https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cd…
https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619…
https://osv.dev/vulnerability/EEF-CVE-2026-43970
https://osv.dev/vulnerability/EEF-CVE-2026-43970