- Package:
- src:erlang-cowboy
- Source:
- src:erlang-cowboy
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-19 17:55:04 UTC
- Severity:
- normal
- Tags:
Hi,
The following vulnerability was published for erlang-cowboy.
Note I'm not entirely certain that the pre.1 version a well contains
already the issue, but in the ideal case in the occurence that
erlang-cowboy ever get migrated to testing, then it should as well be
updated to at least 2.15.0 which contains this fix.
CVE-2026-8466[0]:
| Allocation of Resources Without Limits or Throttling vulnerability
| in ninenines cowboy allows denial of service via unbounded buffer
| accumulation in multipart header parsing. cowboy_req:read_part/3 in
| src/cowboy_req.erl accumulates incoming request bytes into a Buffer
| binary with no upper-bound check. When cow_multipart:parse_headers/2
| returns more or {more, Buffer2}, the function reads up to Length
| bytes (default 64 KB) from the request body and recurses with the
| enlarged buffer. There is no equivalent of the byte_size(Acc) >
| Length guard present in the sibling function read_part_body/4. An
| unauthenticated attacker can send a multipart/form-data request
| whose body never yields a complete header section — for example, a
| body that never contains the advertised boundary delimiter, or one
| whose header lines never contain \r\n\r\n — and force the server
| process to accumulate memory linearly with the bytes the protocol
| layer is willing to deliver. A handful of concurrent such uploads is
| sufficient to exhaust BEAM memory. This issue affects cowboy from
| 2.0.0 before 2.15.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-8466
https://www.cve.org/CVERecord?id=CVE-2026-8466
[1] https://cna.erlef.org/cves/CVE-2026-8466.html
[2] https://osv.dev/vulnerability/EEF-CVE-2026-8466
Regards,
Salvatore
We believe that the bug you reported is fixed in the latest version of
erlang-cowboy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1137525@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <sgolovan@debian.org> (supplier of updated erlang-cowboy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 19 Jun 2026 20:23:30 +0300
Source: erlang-cowboy
Architecture: source
Version: 2.16.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>
Changed-By: Sergei Golovan <sgolovan@debian.org>
Closes: 1137525
Changes:
erlang-cowboy (2.16.1+dfsg-1) unstable; urgency=medium
.
* Team upload.
* New upstream release.
- Fix for CVE-2026-8466: Allocation of Resources Without Limits
or Throttling vulnerability in ninenines cowboy application
(closes: #1137525).
- Remove no longer necessary patches.
- Switch to make from rebar for building the package.
* Update debian/control.
- Bump Standards-Version to 4.7.4.
- Update debhelper compatibility level to 13.
- Update dependencies on erlang-cowlib and erlang-ranch.
* Update debian/copyright.
- Drop no longer present files from the excluded files list.
* Update debian/watch.
- Bump version to 4.
- Use +dfsg suffix.
Checksums-Sha1:
c4606b6e7e4c013bc62add255b378128042ee0b7 2421 erlang-cowboy_2.16.1+dfsg-1.dsc
9f04b7a57113c88cbf4972f3156e98cf69d27f94 2044468 erlang-cowboy_2.16.1+dfsg.orig.tar.xz
516a568ac38a1135918f1a47e889073e6744f435 3980 erlang-cowboy_2.16.1+dfsg-1.debian.tar.xz
2038b6c471e17e2f030699ed8537dcd60a3493f4 18944 erlang-cowboy_2.16.1+dfsg-1_amd64.buildinfo
Checksums-Sha256:
0cbaaf4df66b1ed5f29efc9ccf52944566e18574075a9ebe07e77e152426c0d9 2421 erlang-cowboy_2.16.1+dfsg-1.dsc
8315d7d39cdf93e90cc89c4a227b4dee8a783e02e6e632082401e1adb719feb3 2044468 erlang-cowboy_2.16.1+dfsg.orig.tar.xz
0befebde941cca988d6f7a68f5616d46f88388013363e2427acf8748e9fbb024 3980 erlang-cowboy_2.16.1+dfsg-1.debian.tar.xz
9e2cf210d2cb7f6beed3daba28088c69b7e8b863e4336b2b26d15b0b97f6c695 18944 erlang-cowboy_2.16.1+dfsg-1_amd64.buildinfo
Files:
d97601efe784a3c86c164b6c8f301e57 2421 devel optional erlang-cowboy_2.16.1+dfsg-1.dsc
dfe58817524262e1989df54436ad7b62 2044468 devel optional erlang-cowboy_2.16.1+dfsg.orig.tar.xz
f5e64e11a7107ef59f500c2f95519d31 3980 devel optional erlang-cowboy_2.16.1+dfsg-1.debian.tar.xz
19c3fb2f910c35c88e817e2577991d92 18944 devel optional erlang-cowboy_2.16.1+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmo1e7EACgkQTyrk60tj
54eHKhAA0vTonZn60u49oiTk3AJgPMk//o/MjHIESm7qgZ5ar1uZgjNkDLDsI/fw
HczUoJqyHGNHnozoHZPsjcJUtFiPdZq0fkY0at0uRVtKxu/DjNb063u6h8Fa47Oo
iR6vbFIikfjjSUW1UmwwDiEFi0lxjKNldazurJUOGhQk/YXlc6PxQiv0ySPkE+mb
EsZHp3UINvV98IjW7lEWqhZWkBp4N8W3kbcJOVinFDg6XKrB/Oho2yTgN6zS49Ti
n9xYAmA47P8QbaZo6tf8JRMB7g0YHgtl6QMKsLhj2Ey3rVxZgfEJr1rQ58vyJaZr
Sn7PqefZr18L/f31lBn9LuUssbQfiphET6emor7w/Cw+Gzk69b0+efKkl8Hu6J0Z
7nl6XavwSal2T9u+L5ad26SiSzjTLcUSneXHOQFuFNy0vOUSQfE1NuP4OFEOJNF7
Qgk5lWgKDrqU4rcN1kfy4Ykz++yF9Eqi4pZiq9aEQcUmaIaNww1hciqZQ/FUN4QK
Lc6WJfdVrdtl+mmckAWuq1bx/m29BcK3cpyuhqAD5YlSn1Df3+7z9ogs+gGu9lSn
r0cuxcZny8e83xya+bVaGGZDdHnjJKWzNr0ts8LzyR8u6xNCwPWlfJ3FeQnu64E7
IqZHqYHLjSxb9mhoXWHw5w3+WDH6Oq1zQnwqyLKcENRWPgSUrCQ=
=1SJN
-----END PGP SIGNATURE-----