The vulnerability in plug_cowboy occurs in the Plug.Cowboy.Conn.conn/1 function, which calls String.to_atom/1 on the :scheme value returned by :cowboy_req.scheme/1. For HTTP/2, the :scheme pseudo-header is client-controlled and passed verbatim without validation, allowing attackers to send many unique values. Each unique atom consumes a permanent slot in the BEAM atom table, which is not garbage collected and has a fixed maximum size (default 1,048,576). Exhausting this table causes the Erlang VM to abort with a system_limit error, resulting in a denial of service by crashing the entire node. HTTP/1.1 is unaffected because the scheme is derived from the listener type rather than client input. The vulnerability affects plug_cowboy versions from 2.0.0 up to but not including 2.8.1.

An unauthenticated remote attacker can cause a denial of service by exhausting the Erlang VM atom table through sending HTTP/2 requests with unique :scheme pseudo-header values. This leads to the Erlang VM aborting and the entire node crashing, resulting in service disruption. The vulnerability does not allow code execution or data disclosure but impacts availability severely.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider mitigating by disabling or restricting HTTP/2 support in plug_cowboy if feasible, or applying network-level controls to limit or validate incoming HTTP/2 :scheme headers. Avoid relying on HTTP/2 connections from untrusted sources. Monitor vendor channels for updates and apply official patches once released.