{"affected":[{"package":{"ecosystem":"Hex","name":"cowlib","purl":"pkg:hex/cowlib"},"ranges":[{"events":[{"introduced":"0.1.0"},{"fixed":"2.16.1"}],"type":"SEMVER"}],"versions":["1.0.0","1.0.1","1.0.2","1.1.0","1.2.0","1.3.0","2.0.0","2.0.1","2.1.0","2.2.0","2.2.1","2.3.0","2.4.0","2.5.0","2.5.1","2.6.0","2.7.0","2.7.1","2.7.2","2.7.3","2.8.0","2.9.0","2.9.1","2.10.0","2.10.1","2.11.0","2.12.0","2.12.1","2.13.0","2.14.0","2.15.0","2.16.0"]},{"ranges":[{"events":[{"introduced":"fad5c0049df278cc498b6cdb519b09e845a070a8"},{"fixed":"16aad3fb9f81f5cda4d1706ff0c54237c619c282"}],"repo":"https://github.com/ninenines/cowlib","type":"GIT"}]}],"aliases":["CVE-2026-43970"],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Loïc Hoguin","type":"REMEDIATION_DEVELOPER"}],"database_specific":{"capec_ids":["CAPEC-130"],"cpe_ids":["cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-409"]},"details":"## Summary\n\nImproper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.\n\ncow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.\n\nThis issue affects cowlib from 0.1.0 before 2.16.1.\n\n## Configuration\n\nThe application must use cow_spdy:parse/2 to parse SPDY frames from an untrusted peer. cowboy itself does not use cow_spdy; only direct callers of the cow_spdy API are affected.","id":"EEF-CVE-2026-43970","modified":"2026-05-13T18:43:11.640Z","published":"2026-05-13T18:43:11.640Z","references":[{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-43970.html"},{"type":"FIX","url":"https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282"},{"type":"PACKAGE","url":"https://hex.pm/packages/cowlib"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"}],"summary":"Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame","upstream":[]}