What is GHSA-84f2-rp86-235p?

GHSA-84f2-rp86-235p is a security advisory published by GitHub Security Advisories with High severity. cowlib: Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame

Which CVE IDs does GHSA-84f2-rp86-235p cover?

GHSA-84f2-rp86-235p covers the following CVE IDs: CVE-2026-43970. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-84f2-rp86-235p?

GHSA-84f2-rp86-235p affects 1 product, including: erlang/cowlib:\u003e= 0.1.0, \u003c 2.16.1.

GHSA-84f2-rp86-235pHigh

cowlib: Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame

Vendor

GitHub Security Advisories

Published

May 13, 2026

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-43970 →

📋 Description

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.

cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.

This issue affects cowlib from 0.1.0 before 2.16.1.

🎯 Affected products1

erlang/cowlib:>= 0.1.0, < 2.16.1

🔗 CVE IDs covered (1)

📋 Description

🎯 Affected products1

🔗 References (5)