CVE-2026-56810
Received Received - Intake

Allocation of Resources Without Limits or Throttling in Mint HTTP1

Vulnerability report for CVE-2026-56810, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: EEF

Description

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (Mint.HTTP1 module) allows a denial of service via an oversized chunked transfer-encoded response. This vulnerability is associated with program files lib/mint/http1.ex and program routines 'Elixir.Mint.HTTP1':decode_body/5, 'Elixir.Mint.HTTP1':add_body_to_buffer/2. When Mint decodes a chunked HTTP response body, it accumulates each partial fragment of the current chunk in the connection's data_buffer (an unbounded iolist) via add_body_to_buffer/2 and does not emit the data to the caller until the full declared chunk length has been received. The chunk size is taken directly from the server and parsed with no upper bound, so a malicious or compromised server can announce one enormous chunk (for example a size line of 7FFFFFFF, about 2 GiB) and then send the body bytes slowly without ever completing the chunk. The client buffers every received byte while it waits for a completion that never arrives, and because no data responses are produced until the chunk finishes, a caller that otherwise streams large content-length bodies safely gains no protection. An unauthenticated remote server (reachable whenever a client follows redirects, fetches user-supplied URLs, or processes webhooks) can drive the client's memory arbitrarily high and trigger an out-of-memory condition. This issue affects mint: from 0.5.0 before 1.9.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
elixir-mint mint to 1.9.1 (exc)
elixir-mint mint From 1.9.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56810 is a vulnerability in the Mint HTTP client library for Elixir, specifically in the Mint.HTTP1 module. It arises from the way Mint handles chunked transfer-encoded HTTP responses. When a server sends a chunked response, Mint buffers the entire chunk in memory before passing it to the caller. A malicious server can exploit this by declaring an extremely large chunk size (for example, about 2 GiB) and then sending the data very slowly without completing the chunk. Because Mint waits for the full chunk to be received before processing, it accumulates all the data in memory, which can grow without limit.

This unbounded buffering can cause the client application to consume excessive memory, potentially leading to an out-of-memory condition and denial of service. The vulnerability affects Mint versions from 0.5.0 up to but not including 1.9.1.

Impact Analysis

This vulnerability can impact you by causing a denial of service (DoS) condition in applications using the Mint library to handle HTTP/1.1 chunked responses. An attacker controlling a remote server can exploit this by sending a maliciously crafted HTTP response with an extremely large chunk size and slow data transmission. This forces the client to buffer large amounts of data in memory, potentially exhausting system memory.

The result can be application crashes or degraded performance due to out-of-memory errors, which can disrupt service availability. Since the vulnerability can be triggered by unauthenticated remote servers, it can be exploited via redirects, user-supplied URLs, or webhook endpoints.

Detection Guidance

This vulnerability involves a denial of service caused by a malicious server sending an oversized chunked transfer-encoded HTTP response with an extremely large chunk size and slow data transmission, leading to unbounded memory growth on the client.

To detect this vulnerability on your network or system, you should monitor HTTP responses for unusually large chunk sizes in chunked transfer-encoded responses and observe client memory usage patterns when processing such responses.

Specifically, you can use network traffic analysis tools like Wireshark or tcpdump to capture HTTP traffic and filter for chunked transfer-encoding headers with large chunk sizes.

  • Use tcpdump to capture HTTP traffic: tcpdump -i <interface> -s 0 -w capture.pcap 'tcp port 80 or tcp port 443'
  • Analyze the capture with Wireshark and filter for 'http.chunk_size > 1000000' to identify large chunk sizes.
  • Monitor client application memory usage during HTTP requests to suspicious servers using system tools like top, htop, or ps.
  • Check application logs or enable debug logging in the Mint HTTP client to detect unusually large chunk sizes or slow chunk completion.
Mitigation Strategies

The primary mitigation step is to upgrade the Mint library to version 1.9.1 or later, where the vulnerability has been fixed.

The fix ensures that chunked HTTP response data is emitted incrementally as it arrives rather than buffering entire chunks in memory, preventing unbounded memory growth.

Until you can upgrade, consider implementing network-level protections such as limiting the size of chunked HTTP responses or blocking suspicious servers that send oversized chunk sizes.

Additionally, monitor client memory usage and set resource limits to prevent out-of-memory conditions caused by malicious responses.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56810. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart