Denial of Service Vulnerability in cowlib by ninenines
CVE-2026-43970

8.2HIGH

Key Information:

Vendor: Ninenines
Status: Cowlib
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-43970?

An improper handling of highly compressed data vulnerability in cowlib allows attackers to perform an unauthenticated remote denial of service by exploiting memory exhaustion. This occurs when the cow_spdy:inflate/2 function processes peer-supplied compressed bytes without setting an output size limit. The public SPDY header compression dictionary can lead to significant memory consumption, as a small input can expand dramatically during decompression. This behavior, affecting syn_stream, syn_reply, and headers frame types, could lead to out-of-memory conditions on the BEAM heap, effectively crashing the node with minimal effort.

Affected Version(s)

cowlib 0.1.0 < 2.16.1

cowlib fad5c0049df278cc498b6cdb519b09e845a070a8 < 16aad3fb9f81f5cda4d1706ff0c54237c619c282

References

https://cna.erlef.org/cves/CVE-2026-43970.html

relatedthird-party-advisory

https://osv.dev/vulnerability/EEF-CVE-2026-43970

https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5...

patch

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 4, 2026

Credit

Peter Ullrich

Loïc Hoguin

CVE-2026-43970 Data

JSON

Ninenines

What is CVE-2026-43970?

Affected Version(s)

References

CVSS V4

Timeline

Credit