{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-32688", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-03-13T09:12:14.475Z", "datePublished": "2026-04-27T13:45:35.160Z", "dateUpdated": "2026-04-27T20:11:22.651Z" }, "containers": { "cna": { "affected": [ { "collectionURL": "https://repo.hex.pm", "cpes": [ "cpe:2.3:a:elixir-plug:plug_cowboy:*:*:*:*:*:*:*:*" ], "defaultStatus": "unaffected", "modules": [ "'Elixir.Plug.Cowboy.Conn'" ], "packageName": "plug_cowboy", "packageURL": "pkg:hex/plug_cowboy", "product": "plug_cowboy", "programFiles": [ "lib/plug/cowboy/conn.ex" ], "programRoutines": [ { "name": "'Elixir.Plug.Cowboy.Conn':conn/1" } ], "repo": "https://github.com/elixir-plug/plug_cowboy", "vendor": "elixir-plug", "versions": [ { "lessThan": "2.8.1", "status": "affected", "version": "2.0.0", "versionType": "semver" } ] }, { "collectionURL": "https://github.com", "cpes": [ "cpe:2.3:a:elixir-plug:plug_cowboy:*:*:*:*:*:*:*:*" ], "defaultStatus": "unaffected", "modules": [ "'Elixir.Plug.Cowboy.Conn'" ], "packageName": "elixir-plug/plug_cowboy", "packageURL": "pkg:github/elixir-plug/plug_cowboy", "product": "plug_cowboy", "programFiles": [ "lib/plug/cowboy/conn.ex" ], "programRoutines": [ { "name": "'Elixir.Plug.Cowboy.Conn':conn/1" } ], "repo": "https://github.com/elixir-plug/plug_cowboy", "vendor": "elixir-plug", "versions": [ { "lessThan": "bfb34cb45eb354e56437f7023fb306de1bf9c19b", "status": "affected", "version": "12ecfd024bb179d48b018fecf074e43fe6a19c83", "versionType": "git" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:elixir-plug:plug_cowboy:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.8.1", "versionStartIncluding": "2.0.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ], "operator": "AND" } ], "credits": [ { "lang": "en", "type": "finder", "value": "Peter Ullrich" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion.

Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. For HTTP/2 connections, cowlib passes the client-supplied :scheme pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique :scheme values, causing the Erlang VM to abort with system_limit and taking down the entire node.

This vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header.

This issue affects plug_cowboy: from 2.0.0 before 2.8.1.

" } ], "value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion.\n\nPlug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. For HTTP/2 connections, cowlib passes the client-supplied :scheme pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique :scheme values, causing the Erlang VM to abort with system_limit and taking down the entire node.\n\nThis vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header.\n\nThis issue affects plug_cowboy: from 2.0.0 before 2.8.1." } ], "impacts": [ { "capecId": "CAPEC-125", "descriptions": [ { "lang": "en", "value": "CAPEC-125 Flooding" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "RED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-27T14:55:05.241Z" }, "references": [ { "tags": [ "vendor-advisory", "related" ], "url": "https://github.com/elixir-plug/plug_cowboy/security/advisories/GHSA-q8x4-x7mp-5vg2" }, { "tags": [ "related" ], "url": "https://cna.erlef.org/cves/CVE-2026-32688.html" }, { "tags": [ "related" ], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-32688" }, { "tags": [ "patch" ], "url": "https://github.com/elixir-plug/plug_cowboy/commit/bfb34cb45eb354e56437f7023fb306de1bf9c19b" } ], "source": { "discovery": "EXTERNAL" }, "title": "Atom table exhaustion via HTTP/2 :scheme pseudo-header in plug_cowboy", "workarounds": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Disable HTTP/2 on the Plug.Cowboy.https/3 listener by passing protocol_options: %{protocols: [:http]} in the cowboy options. This restricts the listener to HTTP/1.1, where the scheme is derived from the listener type and is not attacker-controlled." } ], "value": "Disable HTTP/2 on the Plug.Cowboy.https/3 listener by passing protocol_options: %{protocols: [:http]} in the cowboy options. This restricts the listener to HTTP/1.1, where the scheme is derived from the listener type and is not attacker-controlled." } ], "x_generator": { "engine": "cvelib 1.8.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-04-27T19:04:33.154446Z", "id": "CVE-2026-32688", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T20:11:22.651Z" } } ] } }