Description
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame — it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition.

This issue affects hackney: from 2.0.0 before 4.0.1.
Published: 2026-05-25
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw originates in hackney's HTTP/3 response handling, where the accumulated body is stored in a memory buffer without a size limit. A malicious server can send many tiny chunks with an indefinite lifetime, resetting the timeout on each fragment, while the loop continues. Over time the buffer grows linearly until the BEAM process heap is exhausted, causing an out‑of‑memory crash that terminates the client process and disrupts service availability.

Affected Systems

The issue is present in the hackney Erlang client library for HTTP/3, affecting all releases from 2.0.0 up to, but not including, 4.0.1. Any application that imports hackney 2.0.0 through 4.0.0 is susceptible.

Risk and Exploitability

With a CVSS score of 8.2 the severity is high. The attack vector is remote; an attacker simply needs to host a malicious HTTP/3 server that sends a rapid stream of small chunks, keeping the client cycle alive. Because the loop depends on per‑message activity, the server can maintain control for as long as it wishes, eventually exhausting memory. No EPSS score is available and the vulnerability is not in CISA's KEV catalog, indicating it has not been widely exploited yet, but the potential impact remains significant.

Generated by OpenCVE AI on May 25, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade hackney to version 4.0.1 or later to obtain the built‑in body‑size limit.
  • Ensure that all dependent modules and applications reference the updated library and restart services to load the patch.
  • In the interim, add application‑level checks that enforce a maximum response body size or monitor for unusually large memory consumption during HTTP/3 sessions to detect malicious activity.

Generated by OpenCVE AI on May 25, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 26 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame — it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition. This issue affects hackney: from 2.0.0 before 4.0.1.
Title Unbounded body accumulation in HTTP/3 response loop in hackney
First Time appeared Benoitc
Benoitc hackney
Weaknesses CWE-400
CPEs cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Vendors & Products Benoitc
Benoitc hackney
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Benoitc Hackney
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-27T15:40:53.384Z

Reserved: 2026-05-18T17:28:10.319Z

Link: CVE-2026-47077

cve-icon Vulnrichment

Updated: 2026-05-26T15:47:44.255Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-25T15:16:22.837

Modified: 2026-05-27T13:53:56.143

Link: CVE-2026-47077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T16:45:26Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption