CVE-2026-49754
Deferred Deferred - Pending Action
Allocation of Resources Without Limits or Throttling in Mint HTTP/2 Client

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: EEF

Description
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood). When Mint's HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity). A malicious or compromised HTTP/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client's iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient. This issue affects mint: from 0.1.0 before 1.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-23
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-49754
EUVD
EUVD-2026-33940
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elixir-mint mint From 0.1.0 (inc) to 1.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49754 is a vulnerability in the Mint HTTP client library for Elixir, affecting versions before 1.9.0. It occurs because the client does not limit the size or number of HTTP/2 CONTINUATION frames it accepts when processing headers.

Specifically, when the client receives a HEADERS frame without the END_HEADERS flag, it starts accumulating header fragments in a buffer. A malicious HTTP/2 server can send an endless stream of CONTINUATION frames, causing this buffer to grow without bound.

This unbounded accumulation leads to memory exhaustion in the client, potentially causing the BEAM process (the Erlang virtual machine process running Mint) to crash.

The attack requires only a single malicious connection and can be executed remotely without authentication.

Impact Analysis

This vulnerability can cause your Mint HTTP client to consume excessive amounts of memory when communicating with a malicious or compromised HTTP/2 server.

The memory exhaustion can lead to the termination of the BEAM process running the client, resulting in denial of service (DoS) for applications relying on Mint.

Since only a single malicious connection is needed to trigger this, it poses a significant risk to availability and stability of services using vulnerable versions of Mint.

Detection Guidance

This vulnerability involves a malicious HTTP/2 server sending an endless sequence of CONTINUATION frames without the END_HEADERS flag, causing unbounded memory growth in the Mint client. Detection would involve monitoring HTTP/2 traffic for abnormal patterns such as a single connection receiving a large number of CONTINUATION frames without an END_HEADERS flag.

Specifically, you can look for HTTP/2 streams where HEADERS frames are followed by many CONTINUATION frames without the END_HEADERS flag set, which is unusual behavior.

Commands or tools to detect this might include using network traffic analyzers like Wireshark or tshark with filters for HTTP/2 CONTINUATION frames, for example:

  • tshark -Y "http2.type == 9" -i <interface>
  • Or using Wireshark to filter on 'http2.type == 9' to identify CONTINUATION frames.

Additionally, monitoring the memory usage of the Mint client process for unexpected growth during HTTP/2 connections could help detect exploitation attempts.

Mitigation Strategies

The recommended immediate mitigation is to restrict the Mint client to use HTTP/1 for untrusted connections, thereby avoiding the vulnerable HTTP/2 receive path.

Updating Mint to version 1.9.0 or later, where the vulnerability is patched, is the definitive fix.

The patch introduces a default cap on the size of inbound header blocks (256 KB) and enforces this limit during processing of CONTINUATION frames, terminating connections that exceed the limit with a PROTOCOL_ERROR GOAWAY.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-49754 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49754. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart