# Vulnerability Summary: EEF-CVE-2026-32688 ## Vulnerability Overview - **Vulnerability ID**: CVE-2026-32688 - **CVSS Score**: 9.7 (High) - **Vulnerability Type**: Allocation of Resources Without Limits or Throttling - **Affected Component**: `elixir-plug_cowboy` - **Description**: In `elixir-plug_cowboy`, the `Plug.Cowboy.Conn.conn/1` function calls `String.to_atom/1` to process the return value of `:cowboyreq.scheme/1` provided by the client. For HTTP/2 connections, this value is passed directly to the BEAM atom table without validation. Since atoms are not garbage collected and the total number is limited (defaulting to 1,048,576), an attacker can exhaust the atom table by sending HTTP/2 requests with unique scheme values. This causes the Erlang VM to crash, affecting the entire node. - **Affected Protocol**: Only affects HTTP/2; does not affect HTTP/1.1 (as the scheme is determined by the listener type, not controlled by the client). - **Affected Versions**: 2.0.0 to 2.8.1 ## Impact Scope - **Affected Package**: - Hex: `plug_cowboy` - GitHub: [elixir-plug/plug_cowboy](https://github.com/elixir-plug/plug_cowboy) - **Affected Versions**: `2.*` (Introduced in 2.0.0, fixed in 2.8.1) ## Remediation - **Temporary Workaround**: In the `Plug.Cowboy` HTTPS/3 listener, restrict usage to HTTP/1.1 only by setting `protocol_options: %{protocols: [:http]}`, thereby avoiding the issue of client-controlled scheme values. ## Additional Information - **Source**: CNA (Elixir Plug Cowboy Security Advisories) - **References**: - [GitHub Advisory](https://github.com/elixir-plug/plug_cowboy/security/advisories/GHSA-x8x4-x7mp-5vq2) - [CNA CVE Page](https://cna.erlef.org/osv/EEF-CVE-2026-32688.html) - [GitHub Commit](https://github.com/elixir-plug/plug_cowboy/commit/bfb34de56e354e564377023fb306debf9c19b) - [Hex Package](https://hex.pm/packages/plug_cowboy) - **Discoverer**: Peter Ulrich - FINDER > Note: No POC or exploit code is provided on the page.