CVE-2026-47077: CWE-400 Uncontrolled Resource Consumption in benoitc hackney
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame — it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition. This issue affects hackney: from 2.0.0 before 4.0.1.
AI Analysis
Technical Summary
This vulnerability (CWE-400) in benoitc hackney arises because the HTTP/3 response handling loop accumulates response data in memory without imposing a size cap. The inactivity timer resets on each received chunk, allowing a malicious server to keep the loop alive indefinitely by sending small chunks just before the timeout expires and never sending a final frame. This leads to linear growth of the accumulation buffer, exhausting the BEAM process heap and causing an out-of-memory condition. It affects hackney versions from 2.0.0 up to but not including 4.0.1.
Potential Impact
Exploitation of this vulnerability can cause a denial of service by exhausting the memory of the BEAM process running hackney, leading to out-of-memory crashes. This impacts availability of applications using the affected hackney versions when communicating with a malicious HTTP/3 server. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided in the available data. Until a patch is available, users should consider avoiding communication with untrusted HTTP/3 servers or implementing external resource limits on the process running hackney to mitigate potential memory exhaustion.
CVE-2026-47077: CWE-400 Uncontrolled Resource Consumption in benoitc hackney
Description
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame — it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition. This issue affects hackney: from 2.0.0 before 4.0.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CWE-400) in benoitc hackney arises because the HTTP/3 response handling loop accumulates response data in memory without imposing a size cap. The inactivity timer resets on each received chunk, allowing a malicious server to keep the loop alive indefinitely by sending small chunks just before the timeout expires and never sending a final frame. This leads to linear growth of the accumulation buffer, exhausting the BEAM process heap and causing an out-of-memory condition. It affects hackney versions from 2.0.0 up to but not including 4.0.1.
Potential Impact
Exploitation of this vulnerability can cause a denial of service by exhausting the memory of the BEAM process running hackney, leading to out-of-memory crashes. This impacts availability of applications using the affected hackney versions when communicating with a malicious HTTP/3 server. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided in the available data. Until a patch is available, users should consider avoiding communication with untrusted HTTP/3 servers or implementing external resource limits on the process running hackney to mitigate potential memory exhaustion.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-18T17:28:10.319Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a149bd3a5ae1af1aad7733f
Added to database: 5/25/2026, 6:58:27 PM
Last enriched: 5/25/2026, 6:59:36 PM
Last updated: 5/26/2026, 7:54:34 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.