Skip to main content

Elixir Mint CVE-2026-59246

| EUVDEUVD-2026-43643 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-14 EEF
6.3
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Requires client connection to an attacker-controlled HTTP/2 server (AC:H); successful exploitation fully terminates the BEAM process (A:H); no confidentiality or integrity impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 14, 2026 - 09:33 vuln.today
Analysis Generated
Jul 14, 2026 - 09:33 vuln.today

DescriptionCVE.org

Allocation of resources without limits vulnerability in elixir-mint mint allows a remote HTTP/2 server to exhaust memory on the client host and cause a denial of service.

The Mint.HTTP2.handle_continuation/3 function in lib/mint/http2.ex accumulates the header-block fragment carried by each HTTP/2 CONTINUATION frame into a growing conn.headers_being_processed nesting, one level deeper per frame, and only releases it when a frame with the END_HEADERS flag arrives. The only guard on this accumulator is Mint.HTTP2.assert_header_block_within_max_size/2, which sums the byte size of the fragments received so far. Because a CONTINUATION frame is permitted by the protocol to carry a zero-length payload, an unbounded chain of zero-length CONTINUATION frames adds no bytes to the running total, never trips the size cap, and never emits END_HEADERS, yet each frame still nests the accumulator one level deeper.

A malicious HTTP/2 server (reachable directly, via an attacker-controlled redirect, via SSRF, or via a man-in-the-middle) can open a stream by sending a HEADERS frame without END_HEADERS and then stream zero-length CONTINUATION frames indefinitely. Client memory grows one cons cell per frame received; sustained bandwidth from the peer drives the BEAM node running the Mint client to memory exhaustion and eventual out-of-memory termination.

This issue affects mint: from 0.1.0 before 1.9.2.

AnalysisAI

Memory exhaustion in elixir-mint's HTTP/2 client library (mint) allows a malicious or attacker-controlled HTTP/2 server to crash any BEAM application using the library by streaming unbounded zero-length CONTINUATION frames that bypass the existing byte-size guard. Affected versions span mint 0.1.0 through 1.9.1; a vendor-released patch is confirmed in 1.9.2. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect to attacker-controlled HTTP/2 server
Delivery
Server sends HEADERS frame without END_HEADERS flag
Exploit
Server streams unbounded zero-length CONTINUATION frames
Execution
Each frame nests accumulator one cons cell deeper
Persist
Client BEAM VM exhausts heap memory
Impact
Application process terminates with OOM

Vulnerability AssessmentAI

Exploitation The Mint client must initiate an HTTP/2 connection to an attacker-controlled server; this can occur via four paths documented in the advisory: (1) direct connection - the application explicitly connects to a malicious host; (2) redirect - a legitimate server issues a 3xx redirect to an attacker-controlled HTTP/2 endpoint and the client follows it; (3) SSRF - the application fetches a user-supplied or externally influenced URL via Mint and the attacker points it at a malicious server; (4) MitM - a network-position attacker intercepts the HTTP/2 stream and injects the malicious frame sequence. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VA:L) scores 6.3. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operates an HTTP/2 server and causes a Mint-based Elixir client to connect to it - for example, by exploiting an SSRF vulnerability in a Phoenix application to point an outbound request at the attacker's host, or by inserting a redirect from a legitimate server to the malicious endpoint. The server opens a stream with a HEADERS frame omitting END_HEADERS, then continuously emits zero-length CONTINUATION frames; the client BEAM VM allocates one cons cell per frame and eventually exhausts available heap memory, terminating the application process. …
Remediation Upgrade elixir-mint/mint to version 1.9.2 or later, which contains patch commit 5779de1666344b32aefc4354184ea07f902f73ce; the patch and advisory are at https://github.com/elixir-mint/mint/commit/5779de1666344b32aefc4354184ea07f902f73ce and https://github.com/elixir-mint/mint/security/advisories/GHSA-8pf6-g464-h6h9 respectively. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy