CVE-2026-47066

Infinite loop in Alt-Svc header parser in hackney

Assigner: EEF
Reserved: 18.05.2026 Published: 25.05.2026 Updated: 25.05.2026

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 receives a non-token, non-whitespace, non-comma byte (e.g. !, @, =, ;), it returns the input unchanged. skip_comma/1 also returns the buffer unchanged when the first byte is not a comma. parse_entries/2 then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. The calling process never returns.

The entry point parse_and_cache/3 is called synchronously in the connection process on every HTTP response. A single-byte Alt-Svc: ! response header is sufficient to trigger the hang; the header is fully controlled by any HTTP origin the client connects to.

This issue affects hackney: from 2.0.0-beta.1 before 4.0.1.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	benoitc
Product	hackney
Versions	Default: unaffected affected from 2.0.0-beta.1 to 4.0.1 (excl.)

Vendor

benoitc

Product

hackney

Versions

Default: unaffected

affected from 2.0.0-beta.1 to 4.0.1 (excl.)

Vendor	benoitc
Product	hackney
Versions	Default: unaffected affected from 408e5fe20302226ea8c74dde2bcbd452d712b5b2 to e548aba1f97ffa3f4750da7b772998fb78c01894 (excl.)