CVE-2026-43970
CVE-2026-43970 is a high-severity vulnerability with a CVSS 4.0 base score of 8.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-409.
Key facts
- Severity: High (CVSS 4.0 base score 8.2)
- EPSS exploit prediction: 1% (40th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-30131
- Weakness: CWE-409
- Published:
- Last modified:
Description
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2. This issue affects cowlib from 0.1.0 before 2.16.1.
Frequently asked questions
- What is CVE-2026-43970?
- Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2. This issue affects cowlib from 0.1.0 before 2.16.1.
- How severe is CVE-2026-43970?
- CVE-2026-43970 has a CVSS 4.0 base score of 8.2, rated high severity.
- Is CVE-2026-43970 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (40th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-43970?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-43970 have an EU (EUVD) identifier?
- Yes. CVE-2026-43970 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-30131.
- When was CVE-2026-43970 published?
- CVE-2026-43970 was published on 2026-05-13 and last updated on 2026-06-17.
References
- https://cna.erlef.org/cves/CVE-2026-43970.html
- https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282
- https://osv.dev/vulnerability/EEF-CVE-2026-43970
Other CWE-409 vulnerabilities
- CVE-2026-53430 — High (CVSS 8.7): Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc…
- CVE-2026-44697 — High (CVSS 8.6): Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated…
- CVE-2026-49755 — High (CVSS 8.2): Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows…
- CVE-2026-48594 — High (CVSS 8.2): Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of…
- CVE-2026-24264 — High (CVSS 7.5): NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause improper handling of…
- CVE-2026-48044 — High (CVSS 7.5): Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11,…