CVE-2026-32873 is a vulnerability classified under CWE-825 (Expired Pointer Dereference) affecting the Gleam web server 'ewe' in versions 0.8.0 through 3.0.4. The issue resides in the handle_trailers function, which processes HTTP trailer headers in chunked transfer encoding. When the server encounters trailer headers that are either forbidden or undeclared, the function erroneously recurses three times with the original buffer instead of advancing past the rejected header. Specifically, at lines 520, 523, and 526 in the source code, the recursion uses the same buffer segment (Buffer(header_rest, 0)) repeatedly, causing the decoder.decode_packet method to re-parse the identical header indefinitely. This infinite recursion leads to a loop with no timeout or escape condition, causing the BEAM virtual machine process running the server to become wedged at 100% CPU utilization. The vulnerability can be triggered by any unauthenticated remote client sending crafted chunked HTTP requests with malicious trailer headers before control returns to the application code, making mitigation at the application level impossible. The flaw results in a denial-of-service condition by exhausting CPU resources, effectively rendering the server unresponsive. The issue was publicly disclosed on March 20, 2026, and is fixed in ewe version 3.0.5. The CVSS v3.1 base score is 7.5, indicating a high severity primarily due to the ease of remote exploitation without authentication and the significant impact on availability, though confidentiality and integrity remain unaffected.

The primary impact of CVE-2026-32873 is a denial-of-service (DoS) condition caused by infinite recursion in the handling of HTTP trailer headers. This results in the affected server process consuming 100% CPU indefinitely, leading to service unavailability. Organizations running vulnerable versions of the ewe web server may experience complete service outages, disrupting business operations and potentially causing cascading failures in dependent systems. Since the vulnerability is exploitable remotely without authentication or user interaction, attackers can launch DoS attacks at scale, potentially affecting public-facing web services. The inability to mitigate the issue at the application level increases the risk, as patching or upgrading the server software is the only effective remediation. This could also lead to reputational damage and financial losses for organizations relying on affected systems. Although no data confidentiality or integrity compromise is indicated, the availability impact alone can be critical for high-availability environments, especially those handling real-time or customer-facing services.

1. Immediate upgrade to ewe version 3.0.5 or later, where the vulnerability is fixed, is the most effective mitigation. 2. If upgrading is not immediately possible, implement network-level protections such as Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) to detect and block HTTP requests with suspicious or malformed chunked trailer headers. 3. Monitor server CPU usage and network traffic patterns to detect anomalous spikes indicative of exploitation attempts. 4. Employ rate limiting on incoming HTTP requests to reduce the risk of DoS attacks exploiting this vulnerability. 5. Review and restrict exposure of services running ewe to only trusted networks or clients where feasible. 6. Engage in proactive vulnerability management to ensure timely application of patches for critical infrastructure components. 7. Consider deploying application-layer proxies that can sanitize or reject unsupported trailer headers before they reach the vulnerable server. 8. Maintain comprehensive logging and alerting to facilitate rapid incident response if exploitation is suspected.