CVE-2026-48862
Deferred Deferred - Pending Action
Allocation of Resources Without Limits or Throttling in Mint

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: EEF

Description
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding. In lib/mint/http2.ex, Mint.HTTP2.decode_push_promise_headers_and_add_response/5 inserts a :reserved_remote entry into conn.streams for every promised stream ID. The neighbouring Mint.HTTP2.assert_valid_promised_stream_id/2 only verifies that the promised ID is even and not already present; client_settings.max_concurrent_streams is not consulted at promise time. The concurrency cap is only checked when the response HEADERS for the promised stream arrive, so a server that emits PUSH_PROMISE frames and withholds the matching HEADERS never trips that check. HTTP/2 server push is accepted by default (client_settings.enable_push defaults to true). A single long-lived HTTP/2 connection to a hostile server lets that server pin one conn.streams entry per PUSH_PROMISE frame it sends, with no upper bound, until the client process runs out of memory. This issue affects mint: from 0.2.0 before 1.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-48862
EUVD
EUVD-2026-33939
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elixir mint From 0.2.0 (inc) to 1.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48862 is a high-severity vulnerability in the Mint HTTP/2 client library for Elixir, affecting versions from 0.2.0 up to but not including 1.9.0. The issue arises because the client accepts HTTP/2 PUSH_PROMISE frames from servers without enforcing the maximum concurrency limit at the time of receiving these frames.

Specifically, each PUSH_PROMISE frame causes the client to reserve a stream ID in its internal connection streams map without checking the configured maximum concurrent streams limit. The concurrency limit is only checked later when the corresponding response HEADERS arrive. A malicious server can exploit this by sending many PUSH_PROMISE frames without sending the matching HEADERS, causing the client's memory to grow unbounded as it reserves more and more streams.

This leads to memory exhaustion in the client process, potentially causing crashes or denial of service. The vulnerability is remotely exploitable without authentication or user interaction, and HTTP/2 server push is enabled by default, making all clients using Mint vulnerable unless mitigated.

Compliance Impact

This vulnerability primarily impacts the availability of the Mint HTTP/2 client by allowing an attacker-controlled server to exhaust client memory through unbounded PUSH_PROMISE frames, leading to potential denial of service.

There is no direct information in the provided context or resources about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can impact you by allowing a malicious HTTP/2 server to exhaust the memory of any Mint HTTP/2 client process that connects to it. By sending a large number of PUSH_PROMISE frames without corresponding HEADERS, the server causes the client to reserve streams indefinitely, consuming increasing amounts of memory.

The result is a denial of service condition where the client process may crash or become unresponsive due to memory exhaustion. This affects the availability of applications relying on Mint for HTTP/2 communication.

  • Remote exploitation without authentication or user interaction.
  • Memory exhaustion leading to client crashes or unavailability.
  • Potential disruption of services relying on Mint HTTP/2 client.
Detection Guidance

This vulnerability involves unbounded growth of the conn.streams map in the Mint HTTP/2 client due to excessive PUSH_PROMISE frames from a server. Detection can focus on monitoring memory usage of the Mint client process for unusual growth or crashes.

Since the issue is triggered by a hostile HTTP/2 server sending many PUSH_PROMISE frames without corresponding HEADERS, network detection could involve capturing and analyzing HTTP/2 traffic to identify excessive PUSH_PROMISE frames from a single server connection.

Suggested commands include using network packet analyzers like tshark or Wireshark to filter HTTP/2 PUSH_PROMISE frames:

  • tshark -i <interface> -Y "http2.type == 5"
  • Or using Wireshark display filter: http2.type == 5 (PUSH_PROMISE frames)

Additionally, monitoring the memory consumption of the Mint client process (e.g., BEAM VM) can help detect abnormal memory growth indicative of the vulnerability being exploited.

Mitigation Strategies

Immediate mitigation involves disabling HTTP/2 server push in the Mint client by setting the connection option client_settings: [enable_push: false]. This prevents the client from accepting PUSH_PROMISE frames, thereby avoiding unbounded memory growth.

Alternatively, upgrading the Mint library to version 1.9.0 or later, where the vulnerability is fixed, is recommended.

The fix enforces the max_concurrent_streams limit at the time of receiving PUSH_PROMISE frames and rejects excessive promises, preventing memory exhaustion.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48862. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart