CVE-2026-43970 Overview
CVE-2026-43970 is a data amplification vulnerability in the ninenines/cowlib Erlang library, a support library used to manipulate web protocols in the Cowboy HTTP server ecosystem. The flaw resides in the SPDY frame parser (cow_spdy:inflate/2), which passes attacker-supplied compressed bytes directly to zlib:inflate/2 without an output size bound. A single unauthenticated SPDY frame can decompress into gigabytes of data on the BEAM heap, exhausting memory and terminating the node. The issue affects cowlib versions from 0.1.0 before 2.16.1 and is classified under [CWE-409] Improper Handling of Highly Compressed Data.
Critical Impact
A single unauthenticated SPDY frame containing a few kilobytes of compressed payload can decompress to gigabytes of memory, OOM-killing the Erlang node and producing a remote denial of service.
Affected Products
- ninenines/cowlib versions 0.1.0 through 2.16.0
- Erlang/OTP applications embedding the vulnerable cow_spdy module
- Cowboy-based HTTP servers depending on affected cowlib releases
Discovery Timeline
- 2026-05-13 - CVE-2026-43970 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43970
Vulnerability Analysis
The vulnerability stems from unbounded decompression of attacker-controlled SPDY frame payloads. The cow_spdy:inflate/2 function forwards peer-supplied compressed bytes to Erlang's zlib:inflate/2 without enforcing any limit on the output buffer size. The SPDY header compression dictionary, referenced as ?ZDICT, is publicly documented, and zlib compresses long runs of repeated bytes at approximately a 1024:1 ratio. An attacker can craft a few kilobytes of SPDY frame payload that expands to gigabytes once inflated on the BEAM virtual machine heap.
Three SPDY frame types route through the vulnerable code path via cow_spdy:parse_headers/2: syn_stream, syn_reply, and headers. Any of these can deliver the amplification payload. No authentication or prior session state is required, and a single frame is sufficient to trigger the out-of-memory condition.
Root Cause
The root cause is the absence of an output size cap on the zlib stream. The decompression API in Erlang accepts a maximum output size option, but cow_spdy:inflate/2 invokes it without that bound. Combined with the predictable SPDY zlib dictionary, the parser becomes a reliable memory amplification primitive that scales with the compression ratio of the attacker-supplied bytes.
Attack Vector
An unauthenticated remote attacker sends a single malformed SPDY frame to any service that delegates SPDY header parsing to vulnerable cowlib. The BEAM process allocates memory proportional to the inflated payload until the operating system kills the node, taking down all hosted Erlang applications. The attack requires only network reachability to the listener.
// Patch summary (ebin/cowlib.app) - the cow_spdy module is removed
{application, 'cowlib', [
{description, "Support library for manipulating Web protocols."},
{vsn, "2.16.0"},
- {modules, ['cow_base64url',...,'cow_spdy','cow_sse','cow_uri','cow_uri_template','cow_ws']},
+ {modules, ['cow_base64url',...,'cow_sse','cow_uri','cow_uri_template','cow_ws']},
{registered, []},
{applications, [kernel,stdlib,crypto]},
Source: GitHub Commit 16aad3f — the upstream fix removes the unused cow_spdy module entirely from the application manifest, eliminating the vulnerable parser surface.
Detection Methods for CVE-2026-43970
Indicators of Compromise
- Sudden BEAM virtual machine process termination accompanied by kernel oom-killer log entries referencing the Erlang runtime.
- Inbound TCP connections delivering small payloads followed by abrupt service restart cycles on ports that handle SPDY or legacy HTTP traffic.
- Erlang crash dumps showing large binary allocations originating from cow_spdy:inflate/2 or cow_spdy:parse_headers/2 call frames.
Detection Strategies
- Inventory all Erlang/OTP deployments and identify dependencies on cowlib versions earlier than 2.16.1 using build manifests such as rebar.lock or mix.lock.
- Enable BEAM memory telemetry and alert on rapid heap growth in processes handling network frames.
- Inspect network telemetry for SPDY traffic patterns, especially SYN_STREAM, SYN_REPLY, and HEADERS frames arriving from untrusted peers.
Monitoring Recommendations
- Forward Erlang crash.dump artifacts and oom-killer system logs to a centralized logging platform for correlation.
- Track per-process memory consumption metrics (erlang:memory/0) and trigger alerts on anomalous spikes exceeding baseline by an order of magnitude.
- Monitor service availability and restart counters for Cowboy-based listeners exposed to untrusted networks.
How to Mitigate CVE-2026-43970
Immediate Actions Required
- Upgrade cowlib to version 2.16.1 or later across all Erlang applications and rebuild dependent releases.
- Audit deployed services for any legacy SPDY listener configuration and disable SPDY where it is not required.
- Restrict network exposure of affected services to trusted clients until patching is complete.
Patch Information
The fix is delivered in cowlib2.16.1 via GitHub commit 16aad3f, which removes the cow_spdy module from the application manifest. Additional context is available in the CNA CVE-2026-43970 Report and the OSV Vulnerability Record EEF-CVE-2026-43970.
Workarounds
- Block inbound SPDY traffic at the network perimeter or load balancer until the upgrade is applied.
- Terminate TLS in front of the Erlang service with a reverse proxy that negotiates only HTTP/1.1 or HTTP/2, preventing SPDY frames from reaching cowlib.
- Apply per-process memory limits at the operating system level (for example, via systemdMemoryMax) so that an amplification attempt is constrained to a single unit rather than the host.
# Example: pin cowlib to a patched version in a rebar3 project
# rebar.config
{deps, [
{cowlib, "2.16.1"}
]}.
# For Mix-based Elixir projects (mix.exs)
defp deps do
[
{:cowlib, "~> 2.16.1", override: true}
]
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
