8.7
CVE-2026-47067
- EPSS 0.7%
- Veröffentlicht 25.05.2026 14:00:48
- Zuletzt bearbeitet 27.05.2026 13:52:12
- Quelle 6b3ad84c-e1a6-4bf7-a703-f496b7
- CVE-Watchlists
- Unerledigt
LoginAtom table exhaustion via unrecognized URL schemes in hackney
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes — directly as request targets, as configured webhook URLs, or via Location headers followed during redirects — can exhaust the atom table and crash the entire BEAM VM with system_limit. This issue affects hackney: from 2.0.0 before 4.0.1.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.7% | 0.485 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | 8.7 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
https://github.com/benoitc/hackney/security/advisories/GHSA-9653-rcfr-5c62
https://cna.erlef.org/cves/CVE-2026-47067.html
https://osv.dev/vulnerability/EEF-CVE-2026-47067
https://github.com/benoitc/hackney/commit/31f6f0e27e096ad88743dfded4f030a3ee74972e