Resource Exhaustion Vulnerability in Hackney HTTP Client by BenoitC
CVE-2026-47077

8.2HIGH

Key Information:

Vendor: Benoitc
Status: Hackney
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-47077?

A resource exhaustion vulnerability exists in the Hackney HTTP client, where the accumulation of HTTP/3 response bodies in memory is unbounded. Specifically, the function hackney_h3:await_response_loop/6 lacks a size limit on the accumulated response body, making it susceptible to flooding attacks. An attacker could exploit this by sending small chunks of data with an inactive final frame, which keeps the accumulation buffer growing indefinitely. As a result, this can lead to an out-of-memory condition in the BEAM process, severely impacting the performance and stability of applications using Hackney.

Affected Version(s)

hackney 2.0.0 < 4.0.1

hackney 0334af206d5099fdf510ed9eda18e34396f065ad < 3d25f9fea26c90609de9d64366fedfe5065413bc

References

https://github.com/benoitc/hackney/security/advisories/GH...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-47077.html

https://osv.dev/vulnerability/EEF-CVE-2026-47077

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 18, 2026

Credit

Peter Ullrich

Benoit Chesneau

Jonatan Männchen

CVE-2026-47077 Data

JSON

Benoitc

What is CVE-2026-47077?

Affected Version(s)

References

CVSS V4

Timeline

Credit