CVE-2026-47067

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-47067
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-47067.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-47067
Aliases
Published
2026-05-25T14:00:48.507Z
Modified
2026-06-18T03:57:09.469349643Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Atom table exhaustion via unrecognized URL schemes in hackney
Details

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackneyurl.erl converts every unrecognized URL scheme to a permanent BEAM atom via binarytoatom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes — directly as request targets, as configured webhook URLs, or via Location headers followed during redirects — can exhaust the atom table and crash the entire BEAM VM with systemlimit.

This issue affects hackney: from 2.0.0 before 4.0.1.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47067.json",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "d9713695c0d99855d12c73fd8a0b4be0543950c4"
                },
                {
                    "fixed": "31f6f0e27e096ad88743dfded4f030a3ee74972e"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-770"
    ],
    "cna_assigner": "EEF"
}
References

Affected packages

Git / github.com/benoitc/hackney

Affected ranges

Type
GIT
Repo
https://github.com/benoitc/hackney
Events
Introduced
a7ce34b42892ab305b2ef7dbe873bcabf4ef93ca
Fixed
c41c8d48ace8141b003f6f1de3ca6734a0c53056
Fixed
31f6f0e27e096ad88743dfded4f030a3ee74972e
Database specific 
{
    "cpe": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "4.0.1"
        }
    ]
}

Affected versions

2.*
2.0.0
2.0.1
3.*
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.2.0
3.2.1
4.*
4.0.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-47067.json"