# CVE-2026-32688: Atom table exhaustion via HTTP/2 :scheme pseudo-header in plug_cowboy ## Vulnerability Overview There is an “Allocation of Resources Without Limits or Throttling” (CWE-770) vulnerability in `elixir-plug plug_cowboy`. An attacker can send HTTP/2 requests with unique `:scheme` values, causing the BEAM virtual machine’s atom table to be exhausted, which in turn triggers a system limit error and crashes the entire node. This vulnerability affects only HTTP/2 connections because `cowboy` passes the client-provided `:scheme` pseudo-header value directly without validation. HTTP/1.1 is not affected, as its scheme is determined by the listener type. ## Impact Scope - **Affected Component**: `plug_cowboy` - **Affected Versions**: 2.0.0 to 2.8.1 - **CVSS Score**: 8.7 (HIGH) - **CWE**: CWE-770 - **CAPEC**: CAPEC-125 ## Remediation - **Fixed Version**: `< 2.8.1` - **Git Fix Commits**: `12ecf0824b` (Status: Affected) / `bfb34cb45e` (Status: Fixed) ### Temporary Workarounds Disable HTTP/2 on the `Plug.Cowboy.https/3` listener by passing `protocol_options: %{protocols: [:http]}`. This forces the listener to use HTTP/1.1, thereby avoiding the vulnerability. ```elixir Plug.Cowboy.https(MyApp.Endpoint, [ # ... other options ... protocol_options: %{protocols: [:http]} ]) ```