📄 Description (English)
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 receives a non-token, non-whitespace, non-comma byte (e.g. !, @, =, ;), it returns the input unchanged. skip_comma/1 also returns the buffer unchanged when the first byte is not a comma. parse_entries/2 then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. The calling process never returns.
The entry point parse_and_cache/3 is called synchronously in the connection process on every HTTP response. A single-byte Alt-Svc: ! response header is sufficient to trigger the hang; the header is fully controlled by any HTTP origin the client connects to.
This issue affects hackney: from 2.0.0-beta.1 before 4.0.1.
🤖 AI Executive Summary
CVE-2026-47066 is a critical infinite loop vulnerability in the Erlang HTTP client library hackney that affects versions 2.0.0-beta.1 through 4.0.0. An attacker can craft a malicious Alt-Svc response header with a single invalid byte to trigger a 100% CPU hang in the connection process, causing denial of service. This vulnerability is particularly severe for Saudi organizations using hackney in microservices, API gateways, and distributed systems that process untrusted HTTP responses.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 29, 2026 02:03
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi financial institutions (SAMA-regulated banks, fintech platforms) relying on hackney for API communication with international payment networks and correspondent banks. Government agencies (NCA, CITC) using hackney in cloud infrastructure and API gateways face service disruption risks. Saudi Aramco and energy sector organizations processing HTTP responses from SCADA systems and remote monitoring could experience operational disruptions. Telecom operators (STC, Mobily, Zain) using hackney in billing systems and API orchestration are at risk. Healthcare providers (MOH systems) and e-commerce platforms processing customer transactions are vulnerable to DoS attacks via malicious Alt-Svc headers from compromised or attacker-controlled origins.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Energy and Utilities
Telecommunications
Healthcare
E-commerce and Retail
Cloud Service Providers
Technology and Software Development
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running hackney versions 2.0.0-beta.1 through 4.0.0 using dependency scanning tools (rebar3, mix, or custom audits)
2. Implement network-level filtering to block or sanitize Alt-Svc response headers from untrusted origins
3. Deploy rate limiting on HTTP connection handlers to detect and isolate processes consuming 100% CPU
4. Enable process monitoring and automatic restart mechanisms for hung connection processes
PATCHING GUIDANCE:
1. Upgrade hackney to version 4.0.1 or later immediately
2. For Erlang/OTP projects: rebar3 upgrade hackney or update mix.exs dependency to {:hackney, "~> 4.0.1"}
3. Rebuild and redeploy all affected services with new hackney version
4. Verify Alt-Svc header parsing no longer hangs with test payloads: Alt-Svc: !, Alt-Svc: @, Alt-Svc: =
COMPENSATING CONTROLS (if immediate patching impossible):
1. Implement request timeout at application level (set aggressive timeouts on HTTP client calls)
2. Deploy circuit breakers to detect and isolate hanging connections
3. Use reverse proxy (nginx, HAProxy) to filter/sanitize Alt-Svc headers before reaching hackney
4. Implement connection pooling with per-connection CPU monitoring
5. Deploy watchdog processes to detect and kill hung Erlang processes
DETECTION RULES:
1. Monitor Erlang scheduler CPU usage for sustained 100% on single scheduler
2. Alert on Alt-Svc response headers containing non-token characters (!, @, =, ;, etc.)
3. Track HTTP response processing latency spikes correlated with Alt-Svc headers
4. Monitor connection process message queue depth for unbounded growth
5. Log and alert on parse_and_cache/3 function execution times exceeding 1 second
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل إصدارات hackney من 2.0.0-beta.1 إلى 4.0.0 باستخدام أدوات فحص التبعيات
2. تنفيذ تصفية على مستوى الشبكة لحجب أو تنقية رؤوس استجابة Alt-Svc من الأصول غير الموثوقة
3. نشر تحديد معدل على معالجات اتصال HTTP للكشف عن العمليات التي تستهلك 100% CPU وعزلها
4. تفعيل مراقبة العمليات وآليات إعادة التشغيل التلقائي للعمليات المعلقة
إرشادات التصحيح:
1. ترقية hackney إلى الإصدار 4.0.1 أو أحدث على الفور
2. لمشاريع Erlang/OTP: rebar3 upgrade hackney أو تحديث تبعية mix.exs إلى {:hackney, "~> 4.0.1"}
3. إعادة بناء ونشر جميع الخدمات المتأثرة بالإصدار الجديد من hackney
4. التحقق من أن تحليل رأس Alt-Svc لا يتعلق بعد الترقية باستخدام حمولات اختبار
الضوابط البديلة (إذا كان التصحيح الفوري مستحيلاً):
1. تنفيذ انتهاء المهلة الزمنية على مستوى التطبيق
2. نشر قواطع الدوائر للكشف عن الاتصالات المعلقة وعزلها
3. استخدام وكيل عكسي لتصفية رؤوس Alt-Svc
4. تنفيذ تجميع الاتصالات مع مراقبة CPU لكل اتصال
5. نشر عمليات المراقبة للكشف عن العمليات المعلقة وإيقافها
قواعد الكشف:
1. مراقبة استخدام CPU لجدولة Erlang للكشف عن 100% المستدام
2. التنبيه على رؤوس Alt-Svc التي تحتوي على أحرف غير صحيحة
3. تتبع ارتفاعات زمن معالجة استجابة HTTP المرتبطة برؤوس Alt-Svc
4. مراقبة عمق قائمة انتظار رسائل عملية الاتصال
5. تسجيل والتنبيه على أوقات تنفيذ دالة parse_and_cache/3 التي تتجاوز ثانية واحدة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities in network services
ECC 2024 A.14.2.1 - Secure development policy and procedures
ECC 2024 A.12.2.1 - Monitoring and logging of network activities
ECC 2024 A.12.3.1 - Segregation of networks
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Asset management and inventory
SAMA CSF PR.DS-6 - Data security and integrity
SAMA CSF DE.CM-1 - Detection and analysis of anomalies
SAMA CSF RS.MI-2 - Incident response and recovery
🟡 ISO 27001:2022
ISO 27001:2022 A.12.2.1 - Monitoring and logging
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
ISO 27001:2022 A.14.2.1 - Secure development and change management
ISO 27001:2022 A.8.1.1 - Inventory of assets
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 11.2 - Vulnerability scanning and assessment
PCI DSS 12.2 - Configuration standards for system components
🔗 References & Sources 5
🔗
https://cna.erlef.org/cves/CVE-2026-47066.html
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Third Party Advisory
Patch
🔗
https://github.com/benoitc/hackney/commit/e548aba1f97ffa3f4750da7b772998fb78c01894
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Patch
🔗
https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Exploit
Vendor Advisory
Patch
🔗
https://osv.dev/vulnerability/EEF-CVE-2026-47066
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Third Party Advisory
Patch
🔗
https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
Patch
📦 Affected Products / CPE 1 entries
benoitc:hackney