Skip to main content

Mint CVE-2026-49754

| EUVDEUVD-2026-33940 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-02 EEF GHSA-2p26-p43x-fhp8
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 02, 2026 - 18:05 vuln.today
Analysis Generated
Jun 02, 2026 - 18:05 vuln.today
CVSS changed
Jun 02, 2026 - 16:22 NVD
8.2 (HIGH)
CVE Published
Jun 02, 2026 - 14:15 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood).

When Mint's HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity).

A malicious or compromised HTTP/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client's iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient.

This issue affects mint: from 0.1.0 before 1.9.0.

AnalysisAI

Memory exhaustion in the Elixir Mint HTTP/2 client (versions 0.1.0 through 1.8.x) allows a malicious or compromised HTTP/2 server to crash the client's BEAM process via a CONTINUATION frame flood. The client's receive path buffers HEADERS and CONTINUATION fragments into an unbounded accumulator because SETTINGS_MAX_HEADER_LIST_SIZE defaulted to :infinity and was only enforced on outbound requests, so a single attacker-controlled endpoint can force unlimited iolist growth until the process dies. No public exploit identified at time of analysis, but a verified upstream patch and detailed advisory exist.

Technical ContextAI

Mint is a low-level, process-less HTTP/1 and HTTP/2 client library widely used as the transport foundation for Elixir HTTP stacks such as Finch, Tesla, Req, and Swoosh, meaning the bug surface extends to any Elixir/Erlang service that initiates outbound HTTP/2 calls. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling): when an HTTP/2 HEADERS frame arrives without END_HEADERS set, Mint stores the header-block fragment in conn.headers_being_processed and appends each subsequent CONTINUATION frame, with no per-stream byte cap, no frame-count cap, and no enforcement of the locally configured max_header_list_size on inbound data. The commit diff (b662d127) introduces a 256 KB default cap, tracks an acc_size alongside the fragment list, and aborts the connection with a PROTOCOL_ERROR GOAWAY once the accumulator would exceed SETTINGS_MAX_HEADER_LIST_SIZE, mirroring the CONTINUATION flood class disclosed for many HTTP/2 stacks in 2024.

RemediationAI

Vendor-released patch: upgrade Mint to 1.9.0 or later, which lands commit b662d127d3028b5426c88d4c9cc7fe430491a10b and changes the client default of max_header_list_size from :infinity to 256 KB while enforcing it on inbound HEADERS+CONTINUATION accumulation (closing the connection with PROTOCOL_ERROR if exceeded); update both direct and transitive dependents (Finch, Req, Tesla, Swoosh) by running mix deps.update mint and refreshing mix.lock. On pre-1.9.0 releases there is no in-library workaround because the enforcement code itself does not yet exist, so the compensating controls are operational: restrict outbound HTTP/2 destinations to a trusted allowlist via egress proxy or NetworkPolicy, disable HTTP/2 for client paths that target untrusted URLs by forcing HTTP/1.1 negotiation (trade-off: loss of multiplexing and head-of-line-blocking benefits), and run Mint-using workers with constrained memory limits (cgroup/systemd MemoryMax) plus supervisor restart so a single CONTINUATION-flood victim crashes and recycles rather than OOM-killing the node. Advisory and patch references: https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8 and https://github.com/elixir-mint/mint/commit/b662d127d3028b5426c88d4c9cc7fe430491a10b.

Share

CVE-2026-49754 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy