A high-severity denial-of-service vulnerability tracked as CVE-2026-7790 has been disclosed in cowlib, the low-level HTTP parsing library that underpins the popular Cowboy web server for Erlang/OTP. Published in May 2026, the flaw allows remote attackers to crash or exhaust the resources of affected servers by sending a malformed HTTP request with an oversized chunk-size field during chunked transfer encoding.

Cowlib is a foundational component for Erlang-based web applications, handling protocol parsing and validation for Cowboy and other projects. The vulnerability exists in all versions of cowlib from 0.6.0 up to, but not including, version 2.16.1. Systems running Cowboy or any other web framework that depends on cowlib for HTTP chunked transfer processing are potentially exposed.

The core issue lies in how cowlib parses HTTP chunked transfer encoding. Chunked transfer encoding breaks a message body into a series of chunks, each prefixed by the chunk size in hexadecimal followed by a CRLF. The parser reads the hex size, converts it to an integer, and allocates memory to receive the chunk data. An attacker can exploit this by sending a chunk size value that is excessively large—for instance, a hexadecimal string representing a multi-gigabyte size—causing the server to allocate an enormous buffer or enter an infinite loop. This can lead to memory exhaustion, CPU saturation, and ultimately a denial of service.

The vulnerability has been assigned CVSS v3.1 score 7.5 (High), reflecting its network exploitability, low complexity, and lack of required privileges or user interaction. An unauthenticated remote attacker can trigger the DoS with a single crafted HTTP request, making it a severe risk for any internet-facing Erlang web service.

Technical Breakdown

HTTP/1.1 chunked transfer encoding (RFC 7230 Section 4.1) transmits data in a series of chunks. Each chunk consists of a size line (hexadecimal size + CRLF), the chunk data, and a terminating CRLF. The protocol terminates with a zero-length chunk. A typical chunk looks like:

1a\\r\

abcdefghijklmnopqrstuvwxyz\\r\

where 1a is the hex length of the following data (26 bytes).

The cowlib parser reads the size field character by character until it encounters a CRLF. Because the size field is theoretically unbounded (the RFC does not specify a maximum, though implementations impose one), a parser must enforce a reasonable limit to prevent abuse. Before version 2.16.1, cowlib did not enforce any limit on the length of the chunk-size field, nor on the resulting integer value. An attacker could send FFFFFFFFFFFFFFFF (or longer) as the size, forcing the parser to allocate a buffer of 18 exabytes—far beyond any realistic system memory—and immediately crash the Erlang virtual machine with an out-of-memory error or hog the CPU while attempting to satisfy the allocation.

Moreover, even if the allocation is guarded by a size check downstream, the endless parsing of a massive chunk-size string can monopolize an Erlang scheduler thread, locking up the entire node. Erlang’s preemptive scheduler normally prevents such hangs, but native C-based NIFs (Native Implemented Functions) used in cowlib’s parsing may bypass the reduction counting mechanism, allowing a tight loop to block the VM.

The fix in cowlib 2.16.1 introduces a configurable maximum chunk size, defaulting to 8 MB, and a limit on the number of hexadecimal digits allowed in the size field (16 digits). Both values can be adjusted via application environment variables max_chunk_size and max_chunk_size_len.

Affected Versions & Dependencies

The vulnerability affects all cowlib releases from 0.6.0 to 2.16.0. It was patched in version 2.16.1 on May 12, 2026. Developers should immediately update their rebar.config or erlang.mk dependencies to require cowlib >= 2.16.1.

Because Cowboy web server (versions 2.x) bundles cowlib, any Cowboy 2.x release prior to 2.12.0 that uses an older cowlib will be vulnerable. Cowboy 2.12.0, released in tandem with cowlib 2.16.1, includes the updated dependency. Other frameworks like Phoenix (via phoenix_cowboy) or directly using plug_cowboy may also inherit the flaw.

Windows administrators running Erlang/OTP on Windows Server are equally affected. Erlang runs natively on Windows, and many organizations deploy Cowboy-based microservices on Windows infrastructure for internal tools, IoT backends, or APIs. A vulnerable Windows-hosted service is just as susceptible to remote DoS.

Verification

To determine if your Erlang application is vulnerable, check the cowlib version in your lock file or by querying the running release:

erl -eval '{ok, V} = application:get_key(cowlib, vsn), io:format(\"cowlib ~s~n\", [V]), halt().'

or examine the _build directory after compilation. Any version below 2.16.1 is affected.

Alternatively, you can inspect the HTTP response headers for the server banner; if it shows Cowboy/2.x.x and the date of the build is before mid-May 2026, you may be at risk.

Mitigation & Workarounds

  1. Apply the Official Patch: The recommended mitigation is to upgrade to cowlib 2.16.1 (or Cowboy 2.12.0 or later). The update is source-compatible and requires no code changes for the vast majority of applications.
  2. Configuration Tuning: For systems that cannot immediately upgrade, if you have access to the application environment, you might mitigate by setting large crash-prone limits via your own wrapper, but the safest route is updating.
  3. Reverse Proxy Hardening: Place a reverse proxy (e.g., nginx, HAProxy, or Windows IIS ARR) in front of the Erlang application that enforces maximum chunk sizes or limits the size of the HTTP headers/body. This can block oversized chunk-size fields before they reach the vulnerable parser. For example, nginx’s client_max_body_size and proxy_request_buffering directives can help, though they primarily target overall body size, not the chunk-size field specifically. An effective mitigation is to configure the proxy to reject any Transfer-Encoding header with a chunk-size field exceeding a sane limit—a feature available in many Web Application Firewalls.
  4. Network Segmentation: Restrict access to the vulnerable service to trusted networks only. If the service is internal, this reduces the attack surface considerably.
  5. Monitoring and Alerting: Enable monitoring for Erlang VM memory spikes and crash logs. A sudden increase in erlang:memory(total) or frequent scheduler collapse alerts could indicate an exploit attempt.

Response Timeline & Credit

The vulnerability was discovered by a security researcher (details not publicly disclosed at the time of publication) and reported responsibly to the ninenines project. The maintainer, Loïc Hoguin, released the patch within a week. The advisory was published under the GitHub Security Advisory GHSA-w6v7-gm9w-j4h7 and synced to the NVD as CVE-2026-7790.

Broader Implications for Erlang Ecosystems

This vulnerability highlights a class of parsing bugs common in HTTP libraries across all languages—improper input validation for protocol elements that lack explicit size constraints. While Erlang’s Actor model and supervision trees are resilient to many failure modes, a DoS that brings down the VM entirely bypasses these safeguards. Erlang developers should audit their dependencies for similar unbounded parsing issues, particularly in NIFs where the VM’s preemptive scheduling may not apply.

For Windows environments, where Erlang is less common but still used in niche high-availability systems, this serves as a reminder to maintain an inventory of non-Microsoft runtime dependencies. Updates to OTP libraries often fly under the radar of typical Windows patch management cycles.

Action Plan for Windows Admins

  1. Inventory all Erlang/OTP services across your Windows server fleet. Use tasklist to find erl.exe processes and correlate with installed applications.
  2. For each service, determine the cowlib version as described above.
  3. Update the affected applications. If you use precompiled releases, replace the cowlib directory in the release’s lib folder with the new version, then restart the service.
  4. Verify that the service starts without errors and that the chunked transfer example returns normal responses.
  5. Monitor event logs for Erlang crash dumps and investigate any suspicious HTTP requests that may indicate exploitation attempts.

Organizations relying on third-party appliances or embedded devices that use Erlang should contact the vendor for updates. The vulnerability could affect network equipment, telecom infrastructure, or IoT gateways that run Cowboy internally.

Conclusion

CVE-2026-7790 is a grave but easily fixed vulnerability. Because Erlang systems are often designed for high uptime and rapid recovery, a DoS that crashes the entire node undermines these strengths. Upgrading to cowlib 2.16.1 is a one-line change for most projects and delivers immediate protection. Given the simplicity of exploitation, any internet-exposed Cowboy service on unpatched versions should be considered at critical risk until remediated.

For the latest information, track the official advisory at https://github.com/ninenines/cowlib/security/advisories/GHSA-w6v7-gm9w-j4h7 and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-7790.