📄 Description (English)
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame — it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition.
This issue affects hackney: from 2.0.0 before 4.0.1.
🤖 AI Executive Summary
CVE-2026-47077 is a critical denial-of-service vulnerability in the Erlang HTTP client library hackney (versions 2.0.0 to 4.0.0) that allows remote attackers to exhaust server memory through unbounded HTTP/3 response body accumulation. A malicious server can send fragmented responses with reset inactivity timers, causing linear memory growth until process heap exhaustion. This vulnerability poses significant risk to Saudi organizations using hackney for API integrations, microservices, and cloud-native applications.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 29, 2026 07:32
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily affects Saudi organizations in: (1) Banking & Financial Services (SAMA-regulated entities) using hackney for payment gateway integrations and API communications; (2) Government agencies (NCA oversight) relying on Erlang-based microservices for citizen services; (3) Telecommunications (STC, Mobily) using hackney in network management and billing systems; (4) Energy sector (ARAMCO, utilities) with SCADA/ICS API integrations; (5) Healthcare providers using hackney for health information exchange systems. The DoS impact could disrupt critical services, violate SAMA uptime requirements (99.9%), and trigger NCA incident reporting obligations.
🏢 Affected Saudi Sectors
Banking & Financial Services
Government & Public Administration
Telecommunications
Energy & Utilities
Healthcare
Cloud Service Providers
E-commerce & Retail
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running hackney versions 2.0.0-4.0.0 using: grep -r 'hackney' /path/to/project/mix.lock or rebar.lock
2. Isolate affected services from untrusted HTTP/3 servers; restrict outbound HTTP/3 connections to whitelisted endpoints
3. Implement connection-level rate limiting and maximum response size enforcement at reverse proxy/load balancer level
4. Monitor process memory usage with Erlang observer or custom metrics; set alerts for >80% heap utilization
PATCHING:
5. Upgrade hackney to version 4.0.1 or later immediately: mix deps.update hackney or rebar3 upgrade
6. Test in staging environment for 48 hours before production deployment
7. Implement rolling restart strategy to minimize service disruption
COMPENSATING CONTROLS (if immediate patching delayed):
8. Deploy WAF rules to limit HTTP/3 response chunk size and frequency
9. Implement per-connection memory quotas using Erlang process limits
10. Use connection timeouts with wall-clock deadlines instead of inactivity timers
11. Add explicit max_response_body_size configuration in hackney client options
DETECTION:
12. Monitor for: sustained high memory usage in hackney processes, slow HTTP/3 responses with many small chunks, process crashes with 'out_of_memory' errors
13. Log all HTTP/3 connections with response chunk counts and sizes
14. Alert on responses exceeding 100MB or taking >5 minutes to complete
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل إصدارات hackney 2.0.0-4.0.0 باستخدام: grep -r 'hackney' /path/to/project/mix.lock أو rebar.lock
2. عزل الخدمات المتأثرة عن خوادم HTTP/3 غير الموثوقة؛ تقييد اتصالات HTTP/3 الصادرة إلى نقاط نهاية مدرجة في القائمة البيضاء
3. تنفيذ تحديد معدل على مستوى الاتصال وفرض حد أقصى لحجم الاستجابة على مستوى الوكيل العكسي/موازن التحميل
4. مراقبة استخدام ذاكرة العملية باستخدام مراقب Erlang أو مقاييس مخصصة؛ تعيين تنبيهات لـ >80% استخدام الكومة
التصحيح:
5. ترقية hackney إلى الإصدار 4.0.1 أو أحدث على الفور: mix deps.update hackney أو rebar3 upgrade
6. الاختبار في بيئة التدريج لمدة 48 ساعة قبل نشر الإنتاج
7. تنفيذ استراتيجية إعادة التشغيل المتدرجة لتقليل انقطاع الخدمة
الضوابط التعويضية (إذا تأخر التصحيح الفوري):
8. نشر قواعد WAF لتحديد حجم وتكرار مقطع استجابة HTTP/3
9. تنفيذ حصص ذاكرة لكل اتصال باستخدام حدود عملية Erlang
10. استخدام مهل زمنية للاتصال مع مواعيد نهائية للساعة الحائط بدلاً من مؤقتات عدم النشاط
11. إضافة تكوين max_response_body_size صريح في خيارات عميل hackney
الكشف:
12. مراقبة: استخدام ذاكرة مرتفع مستمر في عمليات hackney، استجابات HTTP/3 بطيئة مع العديد من المقاطع الصغيرة، أعطال العملية مع أخطاء 'out_of_memory'
13. تسجيل جميع اتصالات HTTP/3 مع عدد وأحجام مقاطع الاستجابة
14. التنبيه على الاستجابات التي تتجاوز 100 ميجابايت أو تستغرق أكثر من 5 دقائق للإكمال
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.1.1 - Capacity management and resource allocation controls
ECC 2024 A.12.6.1 - Availability and resilience of information systems
ECC 2024 A.16.1.5 - Response to information security incidents
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Business objectives and strategies aligned with cybersecurity
SAMA CSF PR.DS-4 - Adequate capacity and resources to support critical functions
SAMA CSF DE.AE-1 - Anomalies and events are detected and analyzed
🟡 ISO 27001:2022
ISO 27001:2022 A.5.23 - Information security for supplier relationships
ISO 27001:2022 A.8.2.1 - User endpoint devices
ISO 27001:2022 A.12.1.1 - Capacity management
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates for system components
PCI DSS 11.2 - Vulnerability scanning and remediation
🔗 References & Sources 5
🔗
https://cna.erlef.org/cves/CVE-2026-47077.html
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Third Party Advisory
Patch
🔗
https://github.com/benoitc/hackney/commit/3d25f9fea26c90609de9d64366fedfe5065413bc
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Patch
🔗
https://github.com/benoitc/hackney/security/advisories/GHSA-jq4m-q6p2-8gwc
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Exploit
Vendor Advisory
Patch
🔗
https://osv.dev/vulnerability/EEF-CVE-2026-47077
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Third Party Advisory
Patch
🔗
https://github.com/benoitc/hackney/security/advisories/GHSA-jq4m-q6p2-8gwc
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
Patch
📦 Affected Products / CPE 1 entries
benoitc:hackney