CVE-2026-8468
Unbounded buffer accumulation in multipart header parsing causes denial of service in plug
Description
Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing. 'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service. This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.
INFO
Published Date :
May 14, 2026, 11:16 a.m.
Last Modified :
May 14, 2026, 12:16 p.m.
Remotely Exploit :
Yes !
Source :
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Affected Products
The following products are affected by CVE-2026-8468
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 4.0 | HIGH | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | ||||
| CVSS 4.0 | HIGH | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db |
Solution
- Update plug to version 1.15.4 or later.
- Apply patches for versions 1.16.3, 1.17.1, 1.18.2, or 1.19.2.
- Implement memory limits for request processing.
- Validate multipart request sizes.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-8468.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-8468 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-8468
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-8468 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-8468 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
May. 14, 2026
Action Type Old Value New Value Changed Description Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing. plug_multipart in src/plug_multipart.erl is a fork of the cow_multipart module from ninenines cowboy (CVE-2026-8466). The same unbounded accumulation pattern is present in 'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex: it accumulates incoming request bytes into a growing binary with no upper-bound check. When plug_multipart:parse_headers/2 returns more or {more, Buffer}, the function reads up to 64 KB from the underlying socket and recurses with the enlarged buffer. There is no equivalent of the byte_size(acc) > length guard present in the sibling function read_part_body/8. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory. This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2. Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing. 'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service. This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2. -
New CVE Received by 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
May. 14, 2026
Action Type Old Value New Value Added Description Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing. plug_multipart in src/plug_multipart.erl is a fork of the cow_multipart module from ninenines cowboy (CVE-2026-8466). The same unbounded accumulation pattern is present in 'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex: it accumulates incoming request bytes into a growing binary with no upper-bound check. When plug_multipart:parse_headers/2 returns more or {more, Buffer}, the function reads up to 64 KB from the underlying socket and recurses with the enlarged buffer. There is no equivalent of the byte_size(acc) > length guard present in the sibling function read_part_body/8. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory. This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2. Added CVSS V4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-770 Added Reference https://cna.erlef.org/cves/CVE-2026-8466.html Added Reference https://cna.erlef.org/cves/CVE-2026-8468.html Added Reference https://github.com/elixir-plug/plug/commit/2cb7958d33030aa826b0c7404375844d4593d43a Added Reference https://github.com/elixir-plug/plug/commit/33858427c7f2737d560a2e40a0c9a9270d77d1d7 Added Reference https://github.com/elixir-plug/plug/commit/aa69c5ece99c40ded88b8c6581ecc86664b0b734 Added Reference https://github.com/elixir-plug/plug/commit/d5dfffe25e975585227b1b85d247b0d14164bc45 Added Reference https://github.com/elixir-plug/plug/commit/df812a1527bae9e941965e897308a2b8bbf83a94 Added Reference https://github.com/elixir-plug/plug/security/advisories/GHSA-468c-vq7p-gh64 Added Reference https://osv.dev/vulnerability/EEF-CVE-2026-8468