CVE-2026-47077 Overview
CVE-2026-47077 is a resource exhaustion vulnerability in the hackney HTTP client library for Erlang, maintained by benoitc. The flaw resides in the HTTP/3 response handling logic, specifically the hackney_h3:await_response_loop/6 function, which accumulates response body data in memory without enforcing a size cap. A malicious HTTP/3 server can keep the loop alive by emitting small chunks just before the inactivity timer expires, causing unbounded memory growth in the BEAM process heap. The vulnerability affects hackney versions from 2.0.0 before 4.0.1 and is categorized under CWE-400 Uncontrolled Resource Consumption.
Critical Impact
A remote HTTP/3 server can exhaust BEAM process memory on any client using hackney, triggering out-of-memory conditions and denial of service.
Affected Products
- benoitc hackney 2.0.0 through versions before 4.0.1
- Erlang/Elixir applications using hackney as an HTTP client with HTTP/3 enabled
- Downstream libraries depending on vulnerable hackney releases
Discovery Timeline
- 2026-05-25 - CVE-2026-47077 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-47077
Vulnerability Analysis
The vulnerability lives in hackney_h3:await_response_loop/6, the receive loop that processes HTTP/3 response frames. The loop appends each incoming body chunk to an in-memory accumulator and waits for additional frames using an after Timeout clause. That timer is a per-message inactivity timeout, not a wall-clock deadline. Every received chunk, housekeeping message, or QUIC settings frame resets the timer. As a result, the loop has no upper bound on total body size, total wall-clock time, or number of accepted chunks. An attacker controlling the server side can sustain the loop indefinitely while the buffer grows linearly.
Root Cause
The root cause is missing enforcement of a response body size limit and missing absolute timeout in HTTP/3 response handling. The function trusts the peer to eventually send a frame with Fin = true or to stop transmitting. No max_body check, no cumulative byte counter, and no overall deadline guard the accumulator. This is a classic Allocation of Resources Without Limits or Throttling pattern, mapped to CWE-400.
Attack Vector
Exploitation requires no authentication and no user interaction beyond initiating an HTTP/3 request to an attacker-controlled or attacker-influenced server. The attack proceeds as follows: the client issues an HTTP/3 request, the malicious server returns a response with Fin = false, and then emits one small body chunk every Timeout - 1 milliseconds. Each chunk resets the inactivity timer and adds bytes to the accumulator. The server never sends a terminating frame. The BEAM process heap grows until the Erlang VM triggers an out-of-memory condition, terminating the process or the entire node. The vulnerability is exploitable over the network with low attack complexity.
No verified public exploit code is available. Refer to the GitHub Security Advisory GHSA-jq4m-q6p2-8gwc for technical details.
Detection Methods for CVE-2026-47077
Indicators of Compromise
- BEAM virtual machine processes exhibiting sustained memory growth while a single HTTP/3 request is in flight
- Erlang system_limit or out_of_memory crash dumps referencing hackney_h3 modules in the stack trace
- Long-lived outbound HTTP/3 (QUIC, UDP/443) connections to untrusted destinations that never close
Detection Strategies
- Inventory dependencies across Erlang and Elixir projects and flag any hackney version from 2.0.0 up to but not including 4.0.1
- Monitor per-process memory in the BEAM VM using erlang:process_info/2 and alert when an HTTP client process exceeds an expected ceiling
- Inspect QUIC session telemetry for outbound HTTP/3 streams that remain open for unusually long durations without Fin set
Monitoring Recommendations
- Forward Erlang crash dumps and error_logger events to a centralized logging platform for correlation
- Track the rate and size distribution of HTTP/3 response bodies handled by hackney to baseline normal behavior
- Alert on repeated BEAM process restarts coinciding with outbound HTTP/3 traffic to new or rare destinations
How to Mitigate CVE-2026-47077
Immediate Actions Required
- Upgrade hackney to version 4.0.1 or later in all affected Erlang and Elixir projects
- Rebuild and redeploy any release artifacts that statically embed hackney or its dependents
- Restrict outbound HTTP/3 destinations to a known allowlist until upgrades are complete
Patch Information
The fix is committed in hackney commit 3d25f9fe and shipped in release 4.0.1. Authoritative advisories are published at the CNA advisory page, the GitHub Security Advisory GHSA-jq4m-q6p2-8gwc, and the OSV entry EEF-CVE-2026-47077.
Workarounds
- Disable HTTP/3 support in hackney clients and restrict requests to HTTP/1.1 or HTTP/2 until patched
- Block outbound UDP/443 (QUIC) traffic at the network perimeter where HTTP/3 is not required
- Enforce strict per-process memory limits in the BEAM VM so a runaway client terminates before impacting the node
# Configuration example - update hackney via rebar3 or mix
# rebar.config
{deps, [
{hackney, "4.0.1"}
]}.
# mix.exs
defp deps do
[
{:hackney, "~> 4.0.1"}
]
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
