microsoft · jslobodzian · May 30, 2026 · May 27, 2026
@@ -0,0 +1,55 @@
+From fe423c373907c1eee207964c52e73740ea293f05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= <essen@ninenines.eu>
+Date: Tue, 12 May 2026 12:12:20 +0200
+Subject: [PATCH] Reject multipart header blocks above 2048 bytes
+
+This is a soft limit. If the data is already in the buffer,
+the header block will be parsed normally.
+
+A hardcoded value of 2048 was chosen because it is twice
+larger than the largest expected multipart header blocks.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/ninenines/cowboy/commit/5c6a2061b41bb5771c4659fac7d5a822dca5bafb.patch
+---
+ deps/cowboy/src/cowboy_req.erl | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/deps/cowboy/src/cowboy_req.erl b/deps/cowboy/src/cowboy_req.erl
+index 3f87677..e910b7f 100644
+--- a/deps/cowboy/src/cowboy_req.erl
++++ b/deps/cowboy/src/cowboy_req.erl
+@@ -611,11 +611,9 @@ read_part(Req, Opts) ->
+ read_part(Buffer, Opts, Req=#{multipart := {Boundary, _}}) ->
+ 	try cow_multipart:parse_headers(Buffer, Boundary) of
+ 		more ->
+-			{Data, Req2} = stream_multipart(Req, Opts, headers),
+-			read_part(<< Buffer/binary, Data/binary >>, Opts, Req2);
++			read_part_more(Buffer, Opts, Req);
+ 		{more, Buffer2} ->
+-			{Data, Req2} = stream_multipart(Req, Opts, headers),
+-			read_part(<< Buffer2/binary, Data/binary >>, Opts, Req2);
++			read_part_more(Buffer2, Opts, Req);
+ 		{ok, Headers0, Rest} ->
+ 			Headers = maps:from_list(Headers0),
+ 			%% Reject multipart content containing duplicate headers.
+@@ -630,6 +628,16 @@ read_part(Buffer, Opts, Req=#{multipart := {Boundary, _}}) ->
+ 		}, Stacktrace)
+ 	end.
+
++%% We reject multipart header blocks that are twice the maximum
++%% size of the largest expected multipart header blocks.
++read_part_more(Buffer, _, _) when byte_size(Buffer) > 2048 ->
++	exit({request_error, {multipart, headers},
++		'Malformed body; multipart header block too large.'
++	});
++read_part_more(Buffer, Opts, Req0) ->
++	{Data, Req} = stream_multipart(Req0, Opts, headers),
++	read_part(<<Buffer/binary, Data/binary>>, Opts, Req).
++
+ -spec read_part_body(Req)
+ 	-> {ok, binary(), Req} | {more, binary(), Req}
+ 	when Req::req().
+-- 
+2.45.4
+
@@ -2,7 +2,7 @@
 Summary:        rabbitmq-server
 Name:           rabbitmq-server
 Version:        3.13.7
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        Apache-2.0 and MPL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -11,6 +11,7 @@ URL:            https://rabbitmq.com
 Source0:        https://github.com/rabbitmq/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
 Patch0:			CVE-2025-30219.patch
 Patch1:			CVE-2025-50200.patch
+Patch2:			CVE-2026-8466.patch
 
 BuildRequires:  elixir
 BuildRequires:  erlang
@@ -67,6 +68,9 @@ done
 %{_libdir}/rabbitmq/lib/rabbitmq_server-%{version}/*
 
 %changelog
+* Wed May 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.13.7-4
+- Patch for CVE-2026-8466
+
 * Wed Oct 29 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.13.7-3
 - Patch for CVE-2025-50200