Unbounded body accumulation in HTTP/3 response loop in hackney

Summary

CVE	CVE-2026-47077
State	PUBLISHED
Assigner	EEF
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-25 15:16:22 UTC
Updated	2026-05-27 13:53:56 UTC
Description	Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame — it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition. This issue affects hackney: from 2.0.0 before 4.0.1.

Risk And Classification

Primary CVSS: v4.0 8.2 HIGH from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.000420000 probability, percentile 0.131290000 (date 2026-05-27)

Problem Types: CWE-400 | CWE-400 CWE-400 Uncontrolled Resource Consumption

Version	Source	Type	Score	Severity	Vector
4.0	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	Secondary	8.2	HIGH	`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/C...`
4.0	CNA	CVSS	8.2	HIGH	`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
3.1	[email protected]	Primary	7.5	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

CVSS v4.0 Breakdown

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

None

User Interaction

None

Confidentiality

None

Integrity

None

Availability

High

Sub Conf.

None

Sub Integrity

None

Sub Availability

None

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Benoitc	Hackney	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Benoitc	Hackney	affected 2.0.0 4.0.1 semver	Not specified
CNA	Benoitc	Hackney	affected 0334af206d5099fdf510ed9eda18e34396f065ad 3d25f9fea26c90609de9d64366fedfe5065413bc git	Not specified

References

Reference	Source	Link	Tags
cna.erlef.org/cves/CVE-2026-47077.html	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	cna.erlef.org	Third Party Advisory, Patch
github.com/benoitc/hackney/commit/3d25f9fea26c90609de9d64366fedfe5065413bc	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	github.com	Patch
github.com/benoitc/hackney/security/advisories/GHSA-jq4m-q6p2-8gwc	134c704f-9b21-4f2e-91b3-4a467353bcc0	github.com	Exploit, Vendor Advisory, Patch
osv.dev/vulnerability/EEF-CVE-2026-47077	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	osv.dev	Third Party Advisory, Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Peter Ullrich (en)

CNA: Benoit Chesneau (en)

CNA: Jonatan Männchen (en)

There are currently no legacy QID mappings associated with this CVE.