PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47073 benoitc CVE debrief

## Summary CVE-2026-47073 is a HIGH severity (CVSS 8.7) resource exhaustion vulnerability in the hackney Erlang HTTP client, specifically affecting its WebSocket implementation. The vulnerability allows a malicious WebSocket server to cause denial-of-service through memory exhaustion via three distinct attack vectors: unbounded handshake response buffering, unbounded frame payload buffering, and unbounded fragmented frame accumulation. The issue affects hackney versions from 2.0.0 through 4.0.0, with fixes available in version 4.0.1. No authentication or special client configuration is required for exploitation—only control of the server the hackney client connects to. ## Technical Details The vulnerability stems from three code paths in `src/hackney_ws.erl` that lack upper bounds on memory consumption: 1. **Handshake Response Buffer (`read_handshake_response/3`)**: Accumulates received bytes into a growing buffer without size limits. The per-receive timeout resets on every chunk received, allowing a server to stream bytes indefinitely without sending the required `CRLFCRLF` terminator, causing unbounded buffer growth until memory exhaustion. 2. **Frame Payload Parsing (`parse_payload/9` and `parse_active_payload/8`)**: Fails to validate declared payload lengths against any limit. RFC 6455 permits payload lengths up to 2^63-1 bytes; a server announcing a very large frame and dribbling bytes slowly causes the accumulation buffer to grow without bound until out-of-memory conditions occur. 3. **Fragmented Frame Buffer (`frag_buffer` field in `#ws_data{}`)**: Accumulates continuation frames indefinitely. A server sending an endless stream of non-final (no-FIN) fragmented frames without ever sending a final (FIN) frame causes `frag_buffer` to grow without bound. In all cases, the attacker only needs to control the WebSocket server that the hackney client connects to. No client-side authentication or special configuration is required. ## Affected Versions - **Affected**: hackney 2.0.0 through 4.0.0 (inclusive) - **Fixed**: hackney 4.0.1 and later ## Impact Assessment - **Availability Impact**: HIGH — Complete denial of service through memory exhaustion - **Conf/Integ/

Vendor
benoitc
Product
hackney
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-27
Advisory published
2026-05-25
Advisory updated
2026-05-27

Who should care

Organizations running Erlang/Elixir applications using hackney for WebSocket client connections, particularly those connecting to untrusted or third-party WebSocket servers. DevOps teams managing BEAM VM deployments with hackney dependencies. Security teams responsible for supply chain vulnerability management in Erlang ecosystems.

Technical summary

The hackney Erlang HTTP client's WebSocket implementation (src/hackney_ws.erl) contains three unbounded buffer vulnerabilities: (1) read_handshake_response/3 accumulates handshake bytes without size limits with resettable timeouts; (2) parse_payload/9 and parse_active_payload/8 accept RFC 6455 payload lengths up to 2^63-1 without validation; (3) frag_buffer accumulates non-FIN continuation frames indefinitely. A malicious server can exploit any vector to cause memory exhaustion and DoS. Fixed in hackney 4.0.1.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade hackney to version 4.0.1 or later to address unbounded memory consumption vulnerabilities in WebSocket handling
  • If immediate upgrade is not possible, implement network-level controls to restrict WebSocket connections to trusted servers only
  • Monitor application memory usage for anomalous growth patterns that may indicate exploitation attempts
  • Review and implement application-level resource limits (e.g., memory caps, connection timeouts) as defense-in-depth measures
  • Audit dependencies to identify all systems using affected hackney versions for prioritized patching

Evidence notes

CVE description confirms three unbounded buffer code paths in hackney WebSocket client. GitHub advisory and commit provide fix details. CWE-400 (Uncontrolled Resource Consumption) classification from NVD. CVSS 4.0 vector from official NVD record.

Official resources

2026-05-25