PatchSiren cyber security CVE debrief
CVE-2026-43974 ninenines CVE debrief
CVE-2026-43974 is an Unexpected Status Code or Return Value vulnerability in the gun_http module of the ninenines gun library. A malicious HTTP server can force the client into raw protocol mode via an unsolicited 101 Switching Protocols response. This occurs because the gun_http:handle_inform/8 function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(), without checking if the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Consequently, any 101 response causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode. In raw mode, gun_raw applies no flow control and re-arms socket active mode after every received packet, allowing the server to flood the client with arbitrary bytes. These are forwarded as unbounded gun_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM. This issue affects gun versions from 2.0.0 before 2.4.0.
- Vendor
- ninenines
- Product
- gun
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Users of the ninenines gun library, particularly those using versions from 2.0.0 to 2.4.0, should be aware of this vulnerability. An attacker can exploit this issue to cause a denial of service (DoS) by crashing the VM.
Technical summary
The vulnerability arises from the gun_http module's handling of HTTP/1.1 responses. Specifically, when a 101 Switching Protocols response is received, the module fails to verify if the client initially sent an Upgrade or Connection: upgrade header. This oversight allows a malicious server to force the client into raw protocol mode without a legitimate upgrade request. Once in raw mode, the client is susceptible to a flood of arbitrary bytes from the server, leading to a potential crash.
Defensive priority
High
Recommended defensive actions
- Upgrade to gun version 2.4.0 or later.
- Implement additional checks for Upgrade and Connection: upgrade headers in HTTP requests.
- Monitor for unsolicited 101 Switching Protocols responses from servers.
Evidence notes
The CVE-2026-43974 vulnerability was made public on 2026-06-08T15:16:46.870Z and last modified on 2026-06-09T15:20:13.097Z. The CVSS score is 8.7, indicating a High severity.
Official resources
-
CVE-2026-43974 CVE record
CVE.org
-
CVE-2026-43974 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVE-2026-43974 was published on 2026-06-08T15:16:46.870Z and last modified on 2026-06-09T15:20:13.097Z.