CVE-2026-32873
Published: 20 March 2026
Summary
CVE-2026-32873 is a high-severity Expired Pointer Dereference (CWE-825) vulnerability in Vshakitskiy Ewe. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching to version 3.0.5 or later directly eliminates the infinite loop bug in handle_trailers for rejected trailer headers.
Denial-of-service protection implements safeguards against resource exhaustion attacks like the CPU-wedging infinite loop triggered by malformed chunked HTTP trailer headers.
Resource availability protections limit CPU consumption by individual requests, mitigating the permanent 100% CPU usage from the unescaped recursion in decoder.decode_packet.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote unauthenticated DoS via crafted chunked HTTP requests that trigger an infinite loop and CPU exhaustion in the web server's trailer handling logic (before any application code executes). This directly matches T1499.004 (Application or System Exploitation), a sub-technique of Endpoint Denial of Service that covers exploitation of software bugs to crash or starve resources.
NVD Description
ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handle_trailers function where rejected trailer headers (forbidden or undeclared) cause an infinite loop. When handle_trailers encounters such a trailer, three code paths (lines 520, 523,…
more
526) recurse with the original buffer (rest) instead of advancing past the rejected header (Buffer(header_rest, 0)), causing decoder.decode_packet to re-parse the same header on every iteration. The resulting loop has no timeout or escape — the BEAM process permanently wedges at 100% CPU. Any application that calls ewe.read_body on chunked requests is affected, and this is exploitable by any unauthenticated remote client before control returns to application code, making an application-level workaround impossible. This issue is fixed in version 3.0.5.
Deeper analysisAI
CVE-2026-32873 is a denial-of-service vulnerability in the ewe Gleam web server, affecting versions 0.8.0 through 3.0.4. The issue stems from a bug in the handle_trailers function, where rejected trailer headers—either forbidden or undeclared—trigger an infinite loop. Specifically, three code paths (lines 520, 523, and 526) recurse using the original buffer instead of advancing past the rejected header, causing the decoder.decode_packet function to repeatedly parse the same header without timeout or escape. This results in the BEAM process permanently consuming 100% CPU. Applications that invoke ewe.read_body on chunked requests are impacted.
Any unauthenticated remote client can exploit this vulnerability by sending a malicious chunked HTTP request containing rejected trailer headers. Exploitation occurs before control returns to application code, rendering application-level mitigations ineffective. Successful attacks cause a permanent denial of service, as the affected BEAM process wedges indefinitely at full CPU utilization, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflecting its network accessibility, low complexity, and high availability impact (mapped to CWE-825 and CWE-835).
The vulnerability is addressed in ewe version 3.0.5. The GitHub security advisory (GHSA-4w98-xf39-23gp) and related commits (8513de9dcdd0005f727c0f6f15dd89f8d626f560 and d8b9b8a86470c0cb5696647997c2f34763506e37) detail the fix, which corrects the buffer advancement in the affected code paths to prevent recursion. Security practitioners should upgrade to 3.0.5 or later and monitor for unusual CPU spikes on chunked request handling.
Details
- CWE(s)