PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47066 benoitc CVE debrief

## Summary CVE-2026-47066 is a high-severity infinite-loop vulnerability in the hackney Erlang HTTP client. The Alt-Svc response-header parser fails to make forward progress when it encounters certain non-token characters, causing the connection process to spin at 100% CPU and never return. A malicious or compromised HTTP server can trigger this by sending a single crafted byte in the Alt-Svc header. ## Affected Versions - hackney: 2.0.0-beta.1 through 4.0.0 (fixed in 4.0.1) ## Root Cause The parser in `src/hackney_altsvc.erl` contains three mutually recursive functions: `parse_token/2`, `skip_comma/1`, and `parse_entries/2`. When `parse_token/2` receives a byte that is not a token character, whitespace, or comma (e.g., `!`, `@`, `=`, `;`), it returns the input buffer unchanged. `skip_comma/1` similarly returns the buffer unchanged if the first byte is not a comma. `parse_entries/2` then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. ## Attack Vector - **Network**: The vulnerability is triggered when hackney parses an HTTP response containing a malicious Alt-Svc header. - **Control**: The header value is fully controlled by any HTTP origin the client connects to. - **Trigger**: A single-byte Alt-Svc header such as `Alt-Svc: !` is sufficient to cause the hang. ## Impact - **Availability**: Complete denial of service for the affected connection process; the calling process never returns. - **Scope**: Each malicious response can pin one scheduler at 100% CPU. Repeated exploitation could exhaust scheduler resources. ## Recommended Actions 1. **Upgrade**: Update hackney to version 4.0.1 or later, which contains the fix. 2. **Verify**: Confirm the patched version is deployed across all services using hackney. 3. **Monitor**: Watch for unusual CPU utilization in Erlang/Elixir applications using hackney, particularly after connections to untrusted HTTP origins. 4. **Network Controls**: Where feasible, restrict outbound HTTP connections to trusted origins until patching is complete.

Vendor
benoitc
Product
hackney
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-27
Advisory published
2026-05-25
Advisory updated
2026-05-27

Who should care

Organizations running Erlang or Elixir applications that use the hackney HTTP client library, particularly those making outbound HTTP connections to untrusted or third-party origins. Infrastructure teams monitoring for denial-of-service conditions and developers maintaining HTTP client dependencies should prioritize this patch.

Technical summary

The Alt-Svc response header parser in hackney versions 2.0.0-beta.1 through 4.0.0 fails to advance the parse position when encountering non-token characters, causing an infinite loop that pins the Erlang scheduler at 100% CPU. A malicious HTTP server can trigger this by sending a crafted Alt-Svc header.

Defensive priority

high

Recommended defensive actions

  • Upgrade hackney to version 4.0.1 or later.
  • Verify patched version deployment across all services.
  • Monitor for unusual CPU utilization in Erlang/Elixir applications using hackney.
  • Restrict outbound HTTP connections to trusted origins where feasible until patching is complete.

Evidence notes

- CVE description confirms the infinite loop in `src/hackney_altsvc.erl` and the specific trigger condition (non-token byte in Alt-Svc header). - GitHub commit e548aba1f97ffa3f4750da7b772998fb78c01894 provides the fix. - GitHub Security Advisory GHSA-6cp8-v795-jr2j documents the vulnerability and affected versions. - CWE-835 (Loop with Unreachable Exit Condition) is assigned as the weakness.

Official resources

2026-05-25T15:16:21.597Z