PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43973 ninenines CVE debrief

CVE-2026-43973 is an Uncontrolled Resource Consumption vulnerability in the gun_http module of the ninenines gun library. The vulnerability allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering. This occurs because the gun_http:handle/5 function accumulates incoming TCP data into the connection's buffer field using binary concatenation with no upper-bound check. A malicious or compromised server can exploit this by sending a partial response that never completes, causing the gun connection process to continuously append incoming data to its buffer, leading to unbounded heap growth and potentially causing a node-wide out-of-memory crash.

Vendor
ninenines
Product
gun
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-09
Advisory published
2026-06-08
Advisory updated
2026-06-09

Who should care

Users of the ninenines gun library, particularly those using versions from 1.0.0 before 2.4.0, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by the lack of an upper-bound check in the gun_http:handle/5 function when accumulating incoming TCP data into the connection's buffer field. This allows a malicious server to send a partial response that never completes, causing the gun connection process to continuously append incoming data to its buffer, leading to unbounded heap growth.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to gun version 2.4.0 or later.
  • Implement a configurable or hard-coded ceiling on buffer size to prevent unbounded heap growth.

Evidence notes

The CVE-2026-43973 vulnerability was reported by an unknown vendor and has a CVSS score of 8.7, indicating a HIGH severity.

Official resources

CVE-2026-43973 was published on 2026-06-08T15:16:46.700Z and modified on 2026-06-09T15:20:13.097Z.