CVE-2026-7790 Overview
CVE-2026-7790 is an uncontrolled resource consumption vulnerability in ninenines/cowlib, the HTTP parsing library used by the Cowboy Erlang web server. The flaw resides in the cow_http_te module, which parses HTTP/1.1 chunked transfer encoding. The chunked parser accepts an unbounded number of hex digits in the chunk-size field, leading to quadratic and cubic algorithmic complexity during parsing. An unauthenticated remote attacker can trigger denial of service through CPU exhaustion and memory amplification by sending a single crafted request. The issue affects cowlib from version 0.6.0 before 2.16.1 and is tracked under [CWE-400].
Critical Impact
An unauthenticated attacker can send one HTTP/1.1 request with a Transfer-Encoding: chunked header and an oversized chunk-size hex string to consume excessive CPU and memory, degrading or halting service availability.
Affected Products
- ninenines/cowlib versions 0.6.0 through 2.16.0
- Erlang/OTP applications embedding Cowboy web server with vulnerable cowlib
- Any service exposing HTTP/1.1 endpoints parsed by cow_http_te
Discovery Timeline
- 2026-05-11 - CVE-2026-7790 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-7790
Vulnerability Analysis
The vulnerability resides in src/cow_http_te.erl, specifically in the routines cow_http_te:stream_chunked/2 and cow_http_te:chunked_len/4. These functions parse the chunk-size field of an HTTP/1.1 chunked-encoded request body. The parser accumulates the length value by computing Len * 16 + digit for each hex character read. Because Erlang integers are arbitrary-precision bignums, every additional digit increases the cost of the multiplication operation. Parsing N hex digits requires O(N²) CPU work and O(N) memory for the resulting bignum.
The problem compounds when input arrives in fragments. When a TCP packet ends in the middle of the chunk-size field, the parser discards the accumulated length and restarts from zero upon receiving the next fragment. An attacker who drip-feeds the chunk-size raises the total parsing cost to O(N³). A single connection with a sufficiently long hex string saturates a CPU core for an extended period.
Root Cause
The root cause is missing bounds enforcement on the chunk-size field length. RFC 9112 does not mandate a maximum, but practical implementations must cap hex digit count to prevent algorithmic complexity attacks. The cowlib parser accepted arbitrarily long input and re-parsed it on each resumption.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends an HTTP/1.1 POST or PUT request with Transfer-Encoding: chunked followed by a very long sequence of hex digits in the chunk-size line. Drip-feeding the digits across multiple TCP segments amplifies the cost further. Refer to the CNA Security Advisory and the OSV Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-7790
Indicators of Compromise
- HTTP/1.1 requests with Transfer-Encoding: chunked containing chunk-size lines exceeding a reasonable length (for example, more than 16 hex characters)
- Sustained high CPU utilization in Erlang VM scheduler threads tied to Cowboy listener processes
- Slow-rate clients sending partial TCP segments that gradually transmit hex digits without completing the chunk-size CRLF terminator
Detection Strategies
- Inspect reverse proxy and web application firewall logs for chunked requests with abnormally long chunk-size fields
- Monitor the Erlang VM for processes consuming disproportionate reductions or holding large bignum values in cow_http_te stack frames
- Correlate connection-level metrics with response latency spikes on Cowboy-fronted endpoints
Monitoring Recommendations
- Track per-connection request parsing time and alert when parsing of headers or chunk metadata exceeds a baseline threshold
- Enable CPU utilization alerts on Erlang BEAM scheduler threads with thresholds tuned for sustained saturation
- Log and rate-limit clients that submit Transfer-Encoding: chunked requests with chunk-size fields larger than 8 hex digits
How to Mitigate CVE-2026-7790
Immediate Actions Required
- Upgrade cowlib to version 2.16.1 or later and rebuild all Erlang/OTP releases that embed Cowboy
- Inventory all services using Cowboy or transitive dependencies on cowlib through rebar.lock or mix.lock files
- Place a hardened reverse proxy in front of Cowboy listeners to validate and bound chunked encoding fields
Patch Information
The maintainers fixed the issue in cowlib 2.16.1 by enforcing a bound on the chunk-size hex digit count and preserving accumulated length across partial reads. See the GitHub Commit Reference for the exact code change. Update dependency declarations and redeploy affected releases.
Workarounds
- Front Cowboy with a reverse proxy such as NGINX or HAProxy that rejects chunked requests with oversized chunk-size lines
- Apply web application firewall rules to drop HTTP/1.1 requests where the chunk-size field exceeds 16 hex characters
- Restrict request body size and idle connection timeouts to limit the window for drip-fed attacks
# Configuration example - rebar3 dependency pinning
{deps, [
{cowboy, "2.12.0"},
{cowlib, "2.16.1"}
]}.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
