Resource Exhaustion Vulnerability in Hackney by BenoitC
CVE-2026-47073

8.7HIGH

Key Information:

Vendor: Benoitc
Status: Hackney
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-47073?

A resource exhaustion vulnerability exists in the Hackney HTTP client library, allowing attackers to exploit the WebSocket client. This flaw stems from the absence of limits on memory allocation across multiple code paths. Specifically, the read_handshake_response/3 function grows a buffer indefinitely when receiving streamed bytes, while certain functions neglect to validate payload lengths in adherence to documented standards. Furthermore, the frag_buffer in #ws_data{} can accumulate fragmented frames without a definitive endpoint, leading to excessive memory usage. This vulnerability requires the attacker to control the WebSocket server connected by the Hackney client, without necessitating any authentication or specific client configurations.

Affected Version(s)

hackney 2.0.0 < 4.0.1

hackney 690cecaf236fba49526da404a5bc889a24367a3e

References

https://github.com/benoitc/hackney/security/advisories/GH...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-47073.html

https://osv.dev/vulnerability/EEF-CVE-2026-47073

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 18, 2026

Credit

Peter Ullrich

Benoit Chesneau

Jonatan Männchen

CVE-2026-47073 Data

JSON

Benoitc

What is CVE-2026-47073?

Affected Version(s)

References

CVSS V4

Timeline

Credit