CVE-2026-47077 benoitc CVE debrief

Who should care

Organizations running Erlang/Elixir applications using hackney for HTTP/3 client connections, particularly those connecting to untrusted or third-party HTTP/3 servers. Infrastructure teams monitoring BEAM VM memory usage and application developers implementing HTTP client functionality.

Technical summary

The vulnerability resides in `hackney_h3:await_response_loop/6` where HTTP/3 response body chunks are accumulated in a buffer without size constraints. The receive loop uses a timeout that resets on every message (data chunks, housekeeping messages, settings frames), meaning a malicious server can keep the connection alive by sending minimal data just before timeout expiration. With `Fin = false` and no final frame ever sent, the buffer grows without bound until memory exhaustion. This is a classic slowloris-style attack adapted for HTTP/3's framing mechanism. The fix in commit 3d25f9fea26c90609de9d64366fedfe5065413bc likely introduces maximum buffer size enforcement or independent wall-clock timeouts.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade hackney to version 4.0.1 or later which contains the fix
• If immediate upgrade is not possible, implement application-level response size limits for HTTP/3 requests
• Monitor BEAM process memory usage for unexpected growth patterns
• Consider network-level rate limiting or connection timeouts for untrusted HTTP/3 endpoints
• Review and audit HTTP/3 server connections in production environments for anomalous behavior

Evidence notes

CVE published 2026-05-25; modified 2026-05-26. NVD status: Undergoing Analysis. CWE-400 (Uncontrolled Resource Consumption) identified. CVSS 4.0 vector: AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N.

Official resources