VYPR
High severity7.5NVD Advisory· Published May 25, 2026· Updated May 27, 2026

CVE-2026-47067

CVE-2026-47067

Description

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes — directly as request targets, as configured webhook URLs, or via Location headers followed during redirects — can exhaust the atom table and crash the entire BEAM VM with system_limit.

This issue affects hackney: from 2.0.0 before 4.0.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Benoitc/Hackneyinferred3 versions
    >=2.0.0,<4.0.1+ 2 more
    • (no CPE)range: >=2.0.0,<4.0.1
    • cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*range: >=2.0.0,<4.0.1
    • (no CPE)range: >=2.0.0 <4.0.1

Patches

Vulnerability mechanics

References

4

News mentions

1