Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-7790— Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS

AI Predicted 7.5 Difficulty: Moderate EPSS 0.08% · P23

Affected Version Matrix 2

VendorProductVersion RangeStatus
nineninescowlib0.6.0< 2.16.1affected
8c0e428b012c59f553a264f285ed89d36f791e3e< a4b8039ce8c93ab00867ef6b7e888822c09f4369affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-7790

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS
Source: NVD (National Vulnerability Database)
Vulnerability Description
Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification. This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4. This issue affects cowlib: from 0.6.0 before 2.16.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Cowlib 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Cowlib是Nine Nines开源的一个Web协议消息解析与构建库。 cowlib 0.6.0版本至2.16.1之前版本存在资源管理错误漏洞,该漏洞源于cow_http_te模块中分块传输编码解析器接受无限制的十六进制数字,可能导致CPU耗尽和内存放大,导致拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
nineninescowlib 0.6.0 ~ 2.16.1 cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*
nineninescowlib 8c0e428b012c59f553a264f285ed89d36f791e3e ~ a4b8039ce8c93ab00867ef6b7e888822c09f4369 cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*

II. Public POCs for CVE-2026-7790

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-7790

登录查看更多情报信息。

Same Patch Batch · ninenines · 2026-05-11 · 3 CVEs total

CVE-2026-43969Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1
CVE-2026-43968CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1

IV. Related Vulnerabilities

Same product: cowlib
Same vendor: ninenines
Same weakness: CWE-400

V. Comments for CVE-2026-7790

No comments yet

Leave a comment