CVE-2026-47077
HighSummary
A vulnerability in the hackney library allows for unbounded accumulation of HTTP/3 responses in memory, potentially leading to resource exhaustion.
Risk Assessment
An attacker could exploit this vulnerability to exhaust memory, resulting in a BEAM process crash and potential service unavailability.
Recommendation
It is recommended to upgrade the hackney library to version 4.0.1 or later to mitigate the risks associated with this vulnerability.
Original NVD description (English source)
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame — it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition. This issue affects hackney: from 2.0.0 before 4.0.1.

