2477254 – (CVE-2026-43970) CVE-2026-43970 cowlib: cowlib: Remote denial of service via data amplification in SPDY frame processing

Bug 2477254 (CVE-2026-43970) - CVE-2026-43970 cowlib: cowlib: Remote denial of service via data amplification in SPDY frame processing

Summary: CVE-2026-43970 cowlib: cowlib: Remote denial of service via data amplificatio...

Keywords:
Status:	NEW
Alias:	CVE-2026-43970
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2479811
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-13 20:02 UTC by OSIDB Bzimport
Modified:	2026-05-19 11:59 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-13 20:02:48 UTC

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.

cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.

This issue affects cowlib from 0.1.0 before 2.16.1.

Note You need to log in before you can comment on or make changes to this bug.