Infinite Loop Vulnerability in Hackney HTTP Client by Benoit C.
CVE-2026-47066

8.7HIGH

Key Information:

Vendor: Benoitc
Status: Hackney
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-47066?

A vulnerability exists in the Hackney HTTP client that allows for an Infinite Loop scenario caused by the parser of the Alt-Svc response header. When the parser encounters an unrecognized byte, it fails to advance, leading to a tight recursive loop that consumes CPU resources indefinitely. This behavior can be initiated by a single-byte Alt-Svc response header, which can be controlled by any HTTP origin. As a result, processes can become unresponsive, severely impacting application performance and stability.

Affected Version(s)

hackney 2.0.0-beta.1 < 4.0.1

hackney 408e5fe20302226ea8c74dde2bcbd452d712b5b2

References

https://github.com/benoitc/hackney/security/advisories/GH...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-47066.html

https://osv.dev/vulnerability/EEF-CVE-2026-47066

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 18, 2026

Credit

Peter Ullrich

Benoit Chesneau

Jonatan Männchen

CVE-2026-47066 Data

JSON

Benoitc

What is CVE-2026-47066?

Affected Version(s)

References

CVSS V4

Timeline

Credit