CVE-2026-58226
Received Received - Intake

Denial-of-Service in hpax via Algorithmic Complexity

Vulnerability report for CVE-2026-58226, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: EEF

Description

Inefficient Algorithmic Complexity vulnerability in elixir-mint hpax allows unauthenticated denial-of-service via unbounded HPACK integer decoding. hpax decodes HPACK variable-length integers with no upper bound on the decoded value or the number of continuation octets. 'Elixir.HPAX.Types':decode_remaining_integer/3 accumulates the integer as int + (value <<< m), shifting by 7 more bits for each continuation octet and stopping only on a terminating octet or truncated input, never because the integer grew too large. Because BEAM integers are arbitrary precision, a run of N continuation octets builds an O(N)-bit bignum and re-adds into an ever-larger bignum on each step, so the total decoding cost is superlinear (about O(N^2)). An unauthenticated attacker who can send an HTTP/2 header block to a server using this decoder (reached through the 'Elixir.HPAX':decode/2 entry point) can supply a small header block that forces a large, attacker-controlled amount of CPU (and transient memory), a denial-of-service amplification. This issue affects hpax from 0.1.1 before 1.0.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
elixir-mint hpax From 0.1.1 (inc) to 1.0.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58226 is a vulnerability in the hpax library, which is an Elixir HPACK (HTTP/2 header compression) decoder. The issue arises because the decoder processes HPACK variable-length integers without any upper bound on the decoded value or the number of continuation octets.

Specifically, the function decode_remaining_integer/3 accumulates the integer by shifting bits for each continuation octet, but never stops due to the integer size growing too large. Since BEAM integers are arbitrary precision, this leads to superlinear computational complexity (approximately O(NΒ²)) when processing a long sequence of continuation octets.

An unauthenticated attacker can exploit this by sending a maliciously crafted HTTP/2 header block with many continuation octets, forcing the decoder to consume excessive CPU and memory resources, resulting in a denial-of-service amplification.

Detection Guidance

This vulnerability involves an unauthenticated denial-of-service attack via maliciously crafted HTTP/2 header blocks that contain an excessive number of HPACK continuation octets. Detection would involve monitoring for unusual or excessive HTTP/2 header blocks that trigger high CPU or memory usage in the hpax decoder.

Since the vulnerability is triggered by decoding HPACK integers with unbounded continuation octets, network detection could focus on inspecting HTTP/2 traffic for abnormally large or suspicious header blocks with long sequences of continuation octets.

On the system side, monitoring CPU and memory usage spikes in services using the hpax library during HTTP/2 header processing can help detect exploitation attempts.

Specific commands are not provided in the available resources, but general approaches include:

  • Using packet capture tools (e.g., tcpdump, Wireshark) to filter and analyze HTTP/2 header frames for unusually large or malformed HPACK integer encodings.
  • Monitoring system resource usage with tools like top, htop, or system monitoring solutions to detect spikes correlated with HTTP/2 traffic.
  • Enabling detailed logging in the application using hpax to capture decoding errors or unusually large header blocks.
Mitigation Strategies

The primary mitigation is to upgrade the hpax library to version 1.0.4 or later, where the vulnerability has been fixed by introducing bounds checking on the decoded integer values and the number of continuation octets.

The fix caps the decoded integer to a maximum of 2^32 - 1 and limits the number of continuation octets processed, preventing the superlinear CPU and memory consumption.

If immediate upgrade is not possible, consider implementing network-level protections such as rate limiting or filtering suspicious HTTP/2 header blocks to reduce exposure to malicious inputs.

Monitoring and alerting on unusual CPU or memory usage patterns during HTTP/2 header processing can also help detect and respond to exploitation attempts.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition on any server using the vulnerable hpax library to decode HTTP/2 headers.

  • An attacker can send a small but specially crafted HTTP/2 header block that forces the decoder to perform superlinear (O(NΒ²)) bignum arithmetic.
  • This causes excessive CPU usage and transient memory consumption, potentially exhausting system resources.
  • The attack requires no authentication or special privileges, making it easy to exploit remotely.
  • The result is reduced system availability and possible service outages due to resource exhaustion.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart