{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/plug_cowboy-2.0.0--2.8.1/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-32688"}],"_cs_exploited":false,"_cs_products":["plug_cowboy (2.0.0 \u003c 2.8.1)","Phoenix"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","http2","atom-exhaustion"],"_cs_type":"advisory","_cs_vendors":["Erlang"],"content_html":"\u003cp\u003eA denial-of-service vulnerability exists in Plug.Cowboy versions prior to 2.8.1. This vulnerability allows an unauthenticated remote attacker to crash an Erlang VM by exhausting the BEAM atom table. The attack is performed by sending malicious HTTP/2 requests to a Plug.Cowboy listener. Successful exploitation leads to a complete denial of service, as the entire Erlang VM terminates. Phoenix applications using plug_cowboy with HTTP/2 enabled are also affected. Projects utilizing alternative HTTP adapters like Bandit are not susceptible to this specific vulnerability. The issue was identified and responsibly disclosed by Peter Ullrich.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target server running Plug.Cowboy with HTTP/2 enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a series of HTTP/2 requests with a malformed or excessive number of \u003ccode\u003e:scheme\u003c/code\u003e header fields or other header fields that contribute to atom creation.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted HTTP/2 requests to the target server.\u003c/li\u003e\n\u003cli\u003ePlug.Cowboy processes the HTTP/2 requests, allocating a new atom for each unique header field value received.\u003c/li\u003e\n\u003cli\u003eThe attacker continues sending malicious requests, rapidly increasing the number of atoms in the Erlang VM.\u003c/li\u003e\n\u003cli\u003eThe BEAM atom table reaches its maximum capacity due to the attacker\u0026rsquo;s crafted requests.\u003c/li\u003e\n\u003cli\u003eThe Erlang VM crashes due to atom exhaustion, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eThe application using Plug.Cowboy becomes unavailable, disrupting service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a complete denial-of-service condition. All applications running on the affected Erlang VM will crash, impacting availability and potentially causing data loss. The number of victims depends on the deployment of Plug.Cowboy and Phoenix applications using HTTP/2. The vulnerability impacts any organization utilizing the affected software, potentially disrupting critical services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003eplug_cowboy\u003c/code\u003e version 2.8.1 or later to patch CVE-2026-32688.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, consider disabling HTTP/2 on affected Plug.Cowboy instances as a temporary mitigation.\u003c/li\u003e\n\u003cli\u003eDeploy a web application firewall (WAF) to filter HTTP/2 requests with suspicious header patterns, mitigating potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for excessive or malformed HTTP/2 requests, which might indicate an attempted atom table exhaustion attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T12:00:00Z","date_published":"2026-05-06T12:00:00Z","id":"/briefs/2026-05-plug-cowboy-dos/","summary":"An unauthenticated remote denial-of-service vulnerability in Plug.Cowboy allows attackers to exhaust the BEAM atom table via HTTP/2 requests, crashing the Erlang VM.","title":"Plug.Cowboy HTTP/2 Atom Table Exhaustion DoS","url":"https://feed.craftedsignal.io/briefs/2026-05-plug-cowboy-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Plug_cowboy (2.0.0 \u003c 2.8.1)","version":"https://jsonfeed.org/version/1.1"}