{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-8466", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-05-13T11:44:39.149Z", "datePublished": "2026-05-13T18:26:21.089Z", "dateUpdated": "2026-05-14T04:30:32.552Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.hex.pm", "cpes": ["cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["cowboy_req"], "packageName": "cowboy", "packageURL": "pkg:hex/cowboy", "product": "cowboy", "programFiles": ["src/cowboy_req.erl"], "programRoutines": [{"name": "cowboy_req:read_part/1"}, {"name": "cowboy_req:read_part/2"}, {"name": "cowboy_req:read_part/3"}], "repo": "https://github.com/ninenines/cowboy", "vendor": "ninenines", "versions": [{"lessThan": "2.15.0", "status": "affected", "version": "2.0.0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["cowboy_req"], "packageName": "ninenines/cowboy", "packageURL": "pkg:github/ninenines/cowboy", "product": "cowboy", "programFiles": ["src/cowboy_req.erl"], "programRoutines": [{"name": "cowboy_req:read_part/1"}, {"name": "cowboy_req:read_part/2"}, {"name": "cowboy_req:read_part/3"}], "repo": "https://github.com/ninenines/cowboy", "vendor": "ninenines", "versions": [{"lessThan": "5c6a2061b41bb5771c4659fac7d5a822dca5bafb", "status": "affected", "version": "917cf99e10c41676183d501b86af6e47c95afb89", "versionType": "git"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The application must expose an HTTP endpoint that calls <tt>cowboy_req:read_part/1,2</tt> to process <tt>multipart/form-data</tt> request bodies. Deployments that do not handle multipart uploads are not affected.</p>"}], "value": "The application must expose an HTTP endpoint that calls cowboy_req:read_part/1,2 to process multipart/form-data request bodies. Deployments that do not handle multipart uploads are not affected."}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.15.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Ullrich"}, {"lang": "en", "type": "remediation developer", "value": "Lo\u00efc Hoguin"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.</p><p><tt>cowboy_req:read_part/3</tt> in <tt>src/cowboy_req.erl</tt> accumulates incoming request bytes into a <tt>Buffer</tt> binary with no upper-bound check. When <tt>cow_multipart:parse_headers/2</tt> returns <tt>more</tt> or <tt>{more, Buffer2}</tt>, the function reads up to <tt>Length</tt> bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the <tt>byte_size(Acc) &gt; Length</tt> guard present in the sibling function <tt>read_part_body/4</tt>. An unauthenticated attacker can send a <tt>multipart/form-data</tt> request whose body never yields a complete header section \u2014 for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain <tt>\\r\\n\\r\\n</tt> \u2014 and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.</p><p>This issue affects cowboy from 2.0.0 before 2.15.0.</p>"}], "value": "Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.\n\ncowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section \u2014 for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \\r\\n\\r\\n \u2014 and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.\n\nThis issue affects cowboy from 2.0.0 before 2.15.0."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV4_0": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.2, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-05-14T04:30:32.552Z"}, "references": [{"tags": ["related", "third-party-advisory"], "url": "https://cna.erlef.org/cves/CVE-2026-8466.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-8466"}, {"tags": ["patch"], "url": "https://github.com/ninenines/cowboy/commit/5c6a2061b41bb5771c4659fac7d5a822dca5bafb"}], "source": {"discovery": "EXTERNAL"}, "title": "Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy", "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-13T18:46:37.406887Z", "id": "CVE-2026-8466", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-13T18:52:29.452Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-8466", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-13T18:46:37.406887Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-13T18:52:18.933Z"}}], "cna": {"title": "Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Peter Ullrich"}, {"lang": "en", "type": "remediation developer", "value": "Lo\u00efc Hoguin"}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*"], "repo": "https://github.com/ninenines/cowboy", "vendor": "ninenines", "modules": ["cowboy_req"], "product": "cowboy", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.15.0", "versionType": "semver"}], "packageURL": "pkg:hex/cowboy", "packageName": "cowboy", "programFiles": ["src/cowboy_req.erl"], "collectionURL": "https://repo.hex.pm", "defaultStatus": "unaffected", "programRoutines": [{"name": "cowboy_req:read_part/1"}, {"name": "cowboy_req:read_part/2"}, {"name": "cowboy_req:read_part/3"}]}, {"cpes": ["cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*"], "repo": "https://github.com/ninenines/cowboy", "vendor": "ninenines", "modules": ["cowboy_req"], "product": "cowboy", "versions": [{"status": "affected", "version": "917cf99e10c41676183d501b86af6e47c95afb89", "lessThan": "5c6a2061b41bb5771c4659fac7d5a822dca5bafb", "versionType": "git"}], "packageURL": "pkg:github/ninenines/cowboy", "packageName": "ninenines/cowboy", "programFiles": ["src/cowboy_req.erl"], "collectionURL": "https://github.com", "defaultStatus": "unaffected", "programRoutines": [{"name": "cowboy_req:read_part/1"}, {"name": "cowboy_req:read_part/2"}, {"name": "cowboy_req:read_part/3"}]}], "references": [{"url": "https://cna.erlef.org/cves/CVE-2026-8466.html", "tags": ["related", "third-party-advisory"]}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2026-8466", "tags": ["related"]}, {"url": "https://github.com/ninenines/cowboy/commit/5c6a2061b41bb5771c4659fac7d5a822dca5bafb", "tags": ["patch"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.\n\ncowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section \u2014 for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \\r\\n\\r\\n \u2014 and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.\n\nThis issue affects cowboy from 2.0.0 before 2.15.0.", "supportingMedia": [{"type": "text/html", "value": "<p>Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.</p><p><tt>cowboy_req:read_part/3</tt> in <tt>src/cowboy_req.erl</tt> accumulates incoming request bytes into a <tt>Buffer</tt> binary with no upper-bound check. When <tt>cow_multipart:parse_headers/2</tt> returns <tt>more</tt> or <tt>{more, Buffer2}</tt>, the function reads up to <tt>Length</tt> bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the <tt>byte_size(Acc) &gt; Length</tt> guard present in the sibling function <tt>read_part_body/4</tt>. An unauthenticated attacker can send a <tt>multipart/form-data</tt> request whose body never yields a complete header section \u2014 for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain <tt>\\r\\n\\r\\n</tt> \u2014 and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.</p><p>This issue affects cowboy from 2.0.0 before 2.15.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "configurations": [{"lang": "en", "value": "The application must expose an HTTP endpoint that calls cowboy_req:read_part/1,2 to process multipart/form-data request bodies. Deployments that do not handle multipart uploads are not affected.", "supportingMedia": [{"type": "text/html", "value": "<p>The application must expose an HTTP endpoint that calls <tt>cowboy_req:read_part/1,2</tt> to process <tt>multipart/form-data</tt> request bodies. Deployments that do not handle multipart uploads are not affected.</p>", "base64": false}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.15.0", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-05-14T04:30:32.552Z"}}}, "cveMetadata": {"cveId": "CVE-2026-8466", "state": "PUBLISHED", "dateUpdated": "2026-05-14T04:30:32.552Z", "dateReserved": "2026-05-13T11:44:39.149Z", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "datePublished": "2026-05-13T18:26:21.089Z", "assignerShortName": "EEF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.\n\ncowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section \u2014 for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \\r\\n\\r\\n \u2014 and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.\n\nThis issue affects cowboy from 2.0.0 before 2.15.0."}], "id": "CVE-2026-8466", "lastModified": "2026-05-13T19:17:30.540", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2026-05-13T19:17:30.540", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2026-8466.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/ninenines/cowboy/commit/5c6a2061b41bb5771c4659fac7d5a822dca5bafb"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://osv.dev/vulnerability/EEF-CVE-2026-8466"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

{}

{"created": "2026-05-13T20:00:04.255907+00:00", "updated": "2026-05-13T20:00:04.255932+00:00", "vendors": []}