CVE-2026-43970

EUVD-2026-30131

13.05.2026, 19:17

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.

cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.

This issue affects cowlib from 0.1.0 before 2.16.1.

Data Amplification

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
EEF	CNA	8.2 HIGH	NETWORK	LOW	NONE	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 39%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
ninenines	cowlib	0.1.0 ≤ 𝑥 < 2.16.1	CNA

Debian Releases

Debian Product

Codename

erlang-cowlib

bookworm	no-dsa
bullseye	no-dsa
forky	2.17.1-1 fixed
sid	2.17.1-1 fixed
trixie	no-dsa

Common Weakness Enumeration

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

References

https://cna.erlef.org/cves/CVE-2026-43970.html

https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282

https://osv.dev/vulnerability/EEF-CVE-2026-43970