Description
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.

cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.

This issue affects cowlib from 0.1.0 before 2.16.1.
Published: 2026-05-13
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises from improper handling of highly compressed data in the cow_spdy:inflate/2 function. A crafted SPDY frame containing a few kilobytes of compressed data can inflate to gigabytes when passed to the BEAM heap, causing an out‑of‑memory crash. This creates an unauthenticated remote denial‑of‑service regardless of the user context, as a single frame is sufficient to trigger the issue. The weakness is a classic data‑amplification scenario (CWE-409).

Affected Systems

Affected products are the Erlang/Elixir library cowlib maintained by ninenines. Versions from the initial release 0.1.0 up through any build prior to 2.16.1 contain the vulnerable cow_spdy module. The module was removed entirely in cowlib 2.16.1, and no backport of a patch for older versions will be released.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. No EPSS score is available, so the precise likelihood of exploitation is unknown, but the lack of authentication and the absence of protection on the input mean that an attacker could simply send the payload over the network. The vulnerability is not listed in CISA’s KEV catalog, and no public exploits are reported; however, the potential for large-scale denial of service or resource exhaustion makes it a serious risk in production deployments that continue to support SPDY.

Generated by OpenCVE AI on May 13, 2026 at 20:25 UTC.

Remediation

Vendor Solution

Upgrade to cowlib 2.16.1 or later, in which the cow_spdy module has been removed entirely. No patched version of cow_spdy will be provided. Migrate away from SPDY, which has been deprecated since 2015 in favour of HTTP/2.

OpenCVE Recommended Actions

  • Upgrade cowlib to version 2.16.1 or later, which removes the vulnerable cow_spdy module and eliminates the decompression vulnerability.
  • Migrate application code and configuration away from SPDY to the supported HTTP/2 protocol, as SPDY has been deprecated since 2015.
  • Until an upgrade is possible, block or drop incoming SPDY frames at network or proxy layers to prevent the inflated payload from reaching the BEAM heap.

Generated by OpenCVE AI on May 13, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2. This issue affects cowlib from 0.1.0 before 2.16.1.
Title Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame
First Time appeared Ninenines
Ninenines cowlib
Weaknesses CWE-409
CPEs cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*
Vendors & Products Ninenines
Ninenines cowlib
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ninenines Cowlib
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-14T12:39:10.669Z

Reserved: 2026-05-04T18:23:25.574Z

Link: CVE-2026-43970

cve-icon Vulnrichment

Updated: 2026-05-14T12:39:04.066Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T19:17:25.440

Modified: 2026-05-14T17:07:07.030

Link: CVE-2026-43970

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T20:45:03Z

Weaknesses