Zero Day MonitorZDM

← Back to list

—

CVE-2026-43970PATCHED

ninenines · cowlib

Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame

Description

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2. This issue affects cowlib from 0.1.0 before 2.16.1.

Affected Products

Vendor	Product	Versions
ninenines	cowlib	erlang/cowlib: >= 0.1.0, < 2.16.1

References

https://cna.erlef.org/cves/CVE-2026-43970.html(related, third-party-advisory)
https://osv.dev/vulnerability/EEF-CVE-2026-43970(related)
https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282(patch)

Related News (2 articles)

Tier A

Microsoft MSRC38d ago

CVE-2026-43970 Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame

→ No new info (linked only)

Tier C

VulDB45d ago

CVE-2026-43970 | ninenines cowlib up to 2.16.0 data amplification

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

cowlib@2.16.1

CWECWE-409

PublishedMay 13, 2026

Last enriched45d agov2

Tags

CVE-2026-43970

Trending Score1

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-43973EXP

gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion

NONECVE-2026-43966

HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2

NONECVE-2026-43974EXP

gun HTTP/1.1 client accepts unsolicited 101 Switching Protocols response allowing server-driven protocol hijack and OOM

NONECVE-2026-43972EXP

gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection

HIGHCVE-2026-8466

Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 13, 2026

Discovered by ZDM

May 13, 2026

Updated: severity, patchAvailable, tags

May 14, 2026

Patch Available

May 15, 2026

Version History

v2

Last enriched 45d ago

v2Tier C45d ago

Updated severity to HIGH, noted no exploit available, and added CVE-2026-43970 as a new tag.

severitypatchAvailabletags

via VulDB

v145d ago

Initial creation