CVE-2026-32873
CVE-2026-32873 is a high-severity vulnerability in Vshakitskiy Ewe with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-835.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 1% (44th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-13428
- Weakness: CWE-835
- Affected product: Vshakitskiy Ewe
- Published:
- Last modified:
Description
ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape — the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5.
Frequently asked questions
- What is CVE-2026-32873?
- ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523, 526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape — the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5.
- How severe is CVE-2026-32873?
- CVE-2026-32873 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-32873 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (44th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-32873?
- CVE-2026-32873 affects Vshakitskiy Ewe. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-32873?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-32873 have an EU (EUVD) identifier?
- Yes. CVE-2026-32873 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-13428.
- When was CVE-2026-32873 published?
- CVE-2026-32873 was published on 2026-03-20 and last updated on 2026-06-17.
References
- https://github.com/vshakitskiy/ewe/commit/8513de9dcdd0005f727c0f6f15dd89f8d626f560
- https://github.com/vshakitskiy/ewe/commit/d8b9b8a86470c0cb5696647997c2f34763506e37
- https://github.com/vshakitskiy/ewe/security/advisories/GHSA-4w98-xf39-23gp
Affected products (1)
- cpe:2.3:a:vshakitskiy:ewe:*:*:*:*:*:*:*:*
More vulnerabilities in Vshakitskiy Ewe
- CVE-2026-34715 — Medium (CVSS 5.3): ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam…
- CVE-2026-32881 — Medium (CVSS 5.3): ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication…
All CVEs affecting Vshakitskiy Ewe →
Other CWE-835 (Loop with Unreachable Exit Condition (Infinite Loop)) vulnerabilities
- CVE-2026-24816 — Critical (CVSS 10.0): Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in datavane tis…
- CVE-2018-20784 — Critical (CVSS 9.8): In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a…
- CVE-2017-12997 — Critical (CVSS 9.8): The LLDP parser in tcpdump before 4.9.2 could enter an infinite loop due to a bug in…
- CVE-2017-12995 — Critical (CVSS 9.8): The DNS parser in tcpdump before 4.9.2 could enter an infinite loop due to a bug in print-domain.c:ns_print().
- CVE-2017-12990 — Critical (CVSS 9.8): The ISAKMP parser in tcpdump before 4.9.2 could enter an infinite loop due to bugs in print-isakmp.c, several functions.
- CVE-2026-31448 — Critical (CVSS 9.4): In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual…
Browse all CWE-835 (Loop with Unreachable Exit Condition (Infinite Loop)) vulnerabilities →