PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32688 elixir-plug CVE debrief

CVE-2026-32688 is a high-severity denial-of-service issue in elixir-plug plug_cowboy. In affected versions, HTTP/2 request handling can turn attacker-controlled :scheme values into atoms, permanently consuming entries in the BEAM atom table until the node aborts with system_limit. HTTP/1.1 is not affected by the described path.

Vendor
elixir-plug
Product
plug_cowboy
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-27
Original CVE updated
2026-04-27
Advisory published
2026-04-27
Advisory updated
2026-04-27

Who should care

Teams running plug_cowboy 2.0.0 through 2.8.0, especially services exposed to untrusted HTTP/2 traffic, should treat this as an availability risk. Operators of Erlang/Elixir nodes that depend on plug_cowboy should prioritize remediation even if no authentication boundary is crossed.

Technical summary

According to the CVE description and referenced advisory material, Plug.Cowboy.Conn.conn/1 calls String.to_atom/1 on the scheme value returned by :cowboy_req.scheme/1. For HTTP/2, cowlib passes the client-supplied :scheme pseudo-header through without validation, so each unique value can allocate a new atom permanently. Because atoms are not garbage-collected and the atom table is bounded, repeated unique values can exhaust the table and force the Erlang VM to terminate. The issue affects plug_cowboy from 2.0.0 before 2.8.1 and is categorized as CWE-770 resource allocation without limits or throttling.

Defensive priority

High. This is an unauthenticated remote denial-of-service condition that can bring down the entire Erlang node, so fixing exposed systems should be prioritized promptly.

Recommended defensive actions

  • Upgrade plug_cowboy to 2.8.1 or later.
  • If immediate upgrade is not possible, reduce or disable exposure of HTTP/2 endpoints that accept untrusted traffic.
  • Review deployments for services using plug_cowboy in front of public-facing listeners and confirm the runtime can be restarted safely if a crash occurs.
  • Monitor for Erlang VM aborts or system_limit errors that could indicate resource exhaustion attempts.
  • Verify any dependent code does not convert client-controlled HTTP values into atoms without strict validation.

Evidence notes

The supplied corpus is internally consistent across the NVD record, the ERLEF CNA advisory URL, the GitHub security advisory reference, and the linked fix commit. The CVE description explicitly states the affected range (2.0.0 before 2.8.1), the HTTP/2-only impact path, the atom-table exhaustion mechanism, and the denial-of-service outcome. The NVD source item is marked 'Undergoing Analysis' at the time provided, so this debrief relies on the CVE description and referenced official links rather than any additional inference.

Official resources

Publicly disclosed on 2026-04-27, with the source record showing the same published and modified timestamp. The provided source item identifies the NVD record as 'Undergoing Analysis' and no CISA KEV listing is indicated in the supplied/enh