Skip to main content

Hpax

1 CVEs product

Monthly

CVE-2026-58226 HIGH PATCH This Week

Unauthenticated denial-of-service in elixir-mint's hpax (the HPACK header-compression library for Elixir HTTP/2, versions 0.1.1 through 1.0.3) allows a remote attacker to force superlinear (~O(N²)) CPU consumption by sending a small header block containing an HPACK integer with a long run of continuation octets. Because BEAM integers are arbitrary-precision, the decoder builds an ever-growing bignum with no upper bound, turning a few crafted bytes into a large, attacker-controlled amount of CPU and transient memory - a classic decompression/amplification DoS. No public exploit is identified at time of analysis and it is not in CISA KEV, but a vendor patch (version 1.0.4) is available.

RCE Hpax
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated denial-of-service in elixir-mint's hpax (the HPACK header-compression library for Elixir HTTP/2, versions 0.1.1 through 1.0.3) allows a remote attacker to force superlinear (~O(N²)) CPU consumption by sending a small header block containing an HPACK integer with a long run of continuation octets. Because BEAM integers are arbitrary-precision, the decoder builds an ever-growing bignum with no upper bound, turning a few crafted bytes into a large, attacker-controlled amount of CPU and transient memory - a classic decompression/amplification DoS. No public exploit is identified at time of analysis and it is not in CISA KEV, but a vendor patch (version 1.0.4) is available.

RCE Hpax
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy