CVE-2026-49754
Allocation of Resources Without Limits or Throttling in Mint HTTP/2 Client
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elixir-mint | mint | From 0.1.0 (inc) to 1.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-49754 is a vulnerability in the Mint HTTP client library for Elixir, affecting versions before 1.9.0. It occurs because the client does not limit the size or number of HTTP/2 CONTINUATION frames it accepts when processing headers.
Specifically, when the client receives a HEADERS frame without the END_HEADERS flag, it starts accumulating header fragments in a buffer. A malicious HTTP/2 server can send an endless stream of CONTINUATION frames, causing this buffer to grow without bound.
This unbounded accumulation leads to memory exhaustion in the client, potentially causing the BEAM process (the Erlang virtual machine process running Mint) to crash.
The attack requires only a single malicious connection and can be executed remotely without authentication.
How can this vulnerability impact me? :
This vulnerability can cause your Mint HTTP client to consume excessive amounts of memory when communicating with a malicious or compromised HTTP/2 server.
The memory exhaustion can lead to the termination of the BEAM process running the client, resulting in denial of service (DoS) for applications relying on Mint.
Since only a single malicious connection is needed to trigger this, it poses a significant risk to availability and stability of services using vulnerable versions of Mint.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a malicious HTTP/2 server sending an endless sequence of CONTINUATION frames without the END_HEADERS flag, causing unbounded memory growth in the Mint client. Detection would involve monitoring HTTP/2 traffic for abnormal patterns such as a single connection receiving a large number of CONTINUATION frames without an END_HEADERS flag.
Specifically, you can look for HTTP/2 streams where HEADERS frames are followed by many CONTINUATION frames without the END_HEADERS flag set, which is unusual behavior.
Commands or tools to detect this might include using network traffic analyzers like Wireshark or tshark with filters for HTTP/2 CONTINUATION frames, for example:
- tshark -Y "http2.type == 9" -i <interface>
- Or using Wireshark to filter on 'http2.type == 9' to identify CONTINUATION frames.
Additionally, monitoring the memory usage of the Mint client process for unexpected growth during HTTP/2 connections could help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to restrict the Mint client to use HTTP/1 for untrusted connections, thereby avoiding the vulnerable HTTP/2 receive path.
Updating Mint to version 1.9.0 or later, where the vulnerability is patched, is the definitive fix.
The patch introduces a default cap on the size of inbound header blocks (256 KB) and enforces this limit during processing of CONTINUATION frames, terminating connections that exceed the limit with a PROTOCOL_ERROR GOAWAY.