CVE Catalog

CVE-2026-47066

High
Published: Translated: NVD NIST

Summary

CVE-2026-47066 vulnerability in the hackney library causes an infinite loop due to an unreachable exit condition, leading to excessive resource allocation. The Alt-Svc response header parser does not guarantee progress, resulting in the process being pinned at 100% CPU.

Risk Assessment

Organizations may experience significant performance issues when an HTTP server returns a response with an Alt-Svc header containing an invalid character, potentially leading to process hangs and reduced service availability.

Recommendation

It is recommended to update the hackney library to version 4.0.1 or later to mitigate this vulnerability. Additionally, monitor HTTP responses for potential issues with Alt-Svc headers.

Original NVD description (English source)

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 receives a non-token, non-whitespace, non-comma byte (e.g. !, @, =, ;), it returns the input unchanged. skip_comma/1 also returns the buffer unchanged when the first byte is not a comma. parse_entries/2 then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. The calling process never returns. The entry point parse_and_cache/3 is called synchronously in the connection process on every HTTP response. A single-byte Alt-Svc: ! response header is sufficient to trigger the hang; the header is fully controlled by any HTTP origin the client connects to. This issue affects hackney: from 2.0.0-beta.1 before 4.0.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS