CVE-2026-7790 ninenines CVE debrief

Who should care

Operators and maintainers of Erlang/Elixir services that depend on cowlib, especially HTTP-facing systems that accept HTTP/1.1 chunked requests through internet-exposed endpoints or reverse-proxy paths.

Technical summary

The issue is in cow_http_te’s chunked transfer-encoding parsing routines. The chunk-size parser accepts an unbounded hex string, so each digit expands a big integer-style length calculation. The advisory states this yields O(N^2) CPU work and O(N) memory for a long chunk-size field, and that drip-fed input can raise the total cost to O(N^3) because partial reads discard accumulated length and restart parsing from zero. The vulnerability is mapped to CWE-400 (Uncontrolled Resource Consumption).

Defensive priority

High

Recommended defensive actions

• Upgrade cowlib to 2.16.1 or later.
• Identify all applications and transitive dependencies that embed cowlib, including services that parse HTTP chunked transfer-encoding.
• Add or tighten request size, header size, and connection-timeout limits at the edge or reverse proxy.
• Monitor for CPU spikes, worker exhaustion, or repeated chunked-request parsing on exposed HTTP endpoints.
• Review dependency lockfiles and build artifacts to confirm no affected cowlib version from 0.6.0 before 2.16.1 remains deployed.

Evidence notes

The supplied sources identify the issue as an uncontrolled resource consumption vulnerability in ninenines cowlib’s cow_http_te module, affecting versions from 0.6.0 before 2.16.1. The NVD record cites CWE-400 and marks the record as Undergoing Analysis. References in the corpus include the CNA advisory at cna.erlef.org, an upstream GitHub commit in the ninenines/cowlib repository, and an OSV entry for EEF-CVE-2026-7790. The source description states the attack is possible remotely and without authentication via HTTP/1.1 chunked transfer-encoding with an oversized chunk-size hex string.

Official resources