CVE-2026-47067
Atom table exhaustion via unrecognized URL schemes in hackney
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes β directly as request targets, as configured webhook URLs, or via Location headers followed during redirects β can exhaust the atom table and crash the entire BEAM VM with system_limit. This issue affects hackney: from 2.0.0 before 4.0.1.
| CWE | CWE-770 |
| Vendor | benoitc |
| Product | hackney |
| Published | May 25, 2026 |
| Last Updated | May 27, 2026 |
Get instant alerts for benoitc hackney
Be the first to know when new unknown vulnerabilities affecting benoitc hackney are published β delivered to Slack, Telegram or Discord.