CVE-2026-8468

EPSS 0.62%
Veröffentlicht 14.05.2026 10:29:51
Zuletzt bearbeitet 14.05.2026 17:07:07
Quelle 6b3ad84c-e1a6-4bf7-a703-f496b7
CVE-Watchlists
Login
Unerledigt
Login

Unbounded buffer accumulation in multipart header parsing causes denial of service in plug

Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.

'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service.

This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 12

CNA 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerelixir-plug

≫

Produkt plug

Default Statusunaffected

Version 1.4.0

Version < 1.15.4

Status affected

Version 1.16.0

Version < 1.16.3

Status affected

Version 1.17.0

Version < 1.17.1

Status affected

Version 1.18.0

Version < 1.18.2

Status affected

Version 1.19.0

Version < 1.19.2

Status affected

Herstellerelixir-plug

≫

Produkt plug

Default Statusunaffected

Version c52b2f32c90bccd718202bafccb5f95594e30183

Version < *

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.62%	0.45

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
6b3ad84c-e1a6-4bf7-a703-f496b71e49db	8.2	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://cna.erlef.org/cves/CVE-2026-8466.html

https://github.com/elixir-plug/plug/security/advisories/GHSA-468c-vq7p-gh64

https://cna.erlef.org/cves/CVE-2026-8468.html

https://osv.dev/vulnerability/EEF-CVE-2026-8468

https://github.com/elixir-plug/plug/commit/2cb7958d33030aa826b0c7404375844d4593d43a

https://github.com/elixir-plug/plug/commit/aa69c5ece99c40ded88b8c6581ecc86664b0b734

https://github.com/elixir-plug/plug/commit/d5dfffe25e975585227b1b85d247b0d14164bc45

https://github.com/elixir-plug/plug/commit/df812a1527bae9e941965e897308a2b8bbf83a94

https://github.com/elixir-plug/plug/commit/33858427c7f2737d560a2e40a0c9a9270d77d1d7

https://nvd.nist.gov/vuln/detail/CVE-2026-8468

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-8468

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-8468

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-8468