Uncontrolled Resource Consumption in Cowlib's HTTP Module from Ninenines
CVE-2026-7790

8.7HIGH

Key Information:

Vendor: Ninenines
Status: Cowlib
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-7790?

An unchecked resource consumption vulnerability exists in the cow_http_te module of Ninenines Cowlib, which can lead to excessive CPU and memory usage. This issue arises from the chunked transfer-encoding parser handling an unbounded number of hex digits in the chunk-size field. When an attacker sends a malicious HTTP/1.1 request with a lengthy chunk-size hex string, it can trigger significant resource exhaustion, potentially resulting in a denial-of-service condition. The vulnerability affects multiple versions of Cowlib before 2.16.1.

Affected Version(s)

cowlib 0.6.0 < 2.16.1

cowlib 8c0e428b012c59f553a264f285ed89d36f791e3e

References

https://cna.erlef.org/cves/CVE-2026-7790.html

relatedthird-party-advisory

https://osv.dev/vulnerability/EEF-CVE-2026-7790

https://github.com/ninenines/cowlib/commit/a4b8039ce8c93a...

patch

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

Credit

Peter Ullrich

Loïc Hoguin

CVE-2026-7790 Data

JSON