Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-48862
PUBLISHED
More InfoOfficial Page
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
View Known Exploited Vulnerability (KEV) details
Published At-02 Jun, 2026 | 14:15
Updated At-02 Jun, 2026 | 19:14
Rejected At-
▼CVE Numbering Authority (CNA)
Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrency

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding. In lib/mint/http2.ex, Mint.HTTP2.decode_push_promise_headers_and_add_response/5 inserts a :reserved_remote entry into conn.streams for every promised stream ID. The neighbouring Mint.HTTP2.assert_valid_promised_stream_id/2 only verifies that the promised ID is even and not already present; client_settings.max_concurrent_streams is not consulted at promise time. The concurrency cap is only checked when the response HEADERS for the promised stream arrive, so a server that emits PUSH_PROMISE frames and withholds the matching HEADERS never trips that check. HTTP/2 server push is accepted by default (client_settings.enable_push defaults to true). A single long-lived HTTP/2 connection to a hostile server lets that server pin one conn.streams entry per PUSH_PROMISE frame it sends, with no upper bound, until the client process runs out of memory. This issue affects mint: from 0.2.0 before 1.9.0.

Affected Products
Vendor
elixir-mint
Product
mint
Collection URL
https://repo.hex.pm
Package Name
mint
Repo
https://github.com/elixir-mint/mint
CPEs
  • cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Mint.HTTP2'
Program Files
  • lib/mint/http2.ex
Program Routines
  • 'Elixir.Mint.HTTP2':handle_push_promise/3
  • 'Elixir.Mint.HTTP2':decode_push_promise_headers_and_add_response/5
Default Status
unaffected
Versions
Affected
  • From 0.2.0 before 1.9.0 (semver)
Vendor
elixir-mint
Product
mint
Collection URL
https://github.com
Package Name
elixir-mint/mint
Repo
https://github.com/elixir-mint/mint.git
CPEs
  • cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Mint.HTTP2'
Program Files
  • lib/mint/http2.ex
Program Routines
  • 'Elixir.Mint.HTTP2':handle_push_promise/3
  • 'Elixir.Mint.HTTP2':decode_push_promise_headers_and_add_response/5
Default Status
unaffected
Versions
Affected
  • From 65c6394d05a1b8aa4a7461708c3aa173e8d7a5cf before 70b97b6a5209fb288b0e04d8e657dda26c59de67 (git)
Problem Types
TypeCWE IDDescription
CWECWE-770CWE-770 Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-770
Description: CWE-770 Allocation of Resources Without Limits or Throttling
Metrics
VersionBase scoreBase severityVector
4.08.2HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-130CAPEC-130 Excessive Allocation
CAPEC ID: CAPEC-130
Description: CAPEC-130 Excessive Allocation
Solutions

Configurations

Workarounds

Disable HTTP/2 server push on connections to untrusted servers by passing client_settings: [enable_push: false] to Mint.HTTP.connect/4. This makes Mint reject any inbound PUSH_PROMISE frame with a PROTOCOL_ERROR before the vulnerable code path is reached.

Exploits

Credits

finder
Peter Ullrich
remediation developer
Eric Meadows-Jönsson
analyst
Jonatan Männchen / EEF
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/elixir-mint/mint/security/advisories/GHSA-g586-ccqf-7x4r
vendor-advisory
related
https://cna.erlef.org/cves/CVE-2026-48862.html
related
https://osv.dev/vulnerability/EEF-CVE-2026-48862
related
https://github.com/elixir-mint/mint/commit/70b97b6a5209fb288b0e04d8e657dda26c59de67
patch
Hyperlink: https://github.com/elixir-mint/mint/security/advisories/GHSA-g586-ccqf-7x4r
Resource:
vendor-advisory
related
Hyperlink: https://cna.erlef.org/cves/CVE-2026-48862.html
Resource:
related
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-48862
Resource:
related
Hyperlink: https://github.com/elixir-mint/mint/commit/70b97b6a5209fb288b0e04d8e657dda26c59de67
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/elixir-mint/mint/security/advisories/GHSA-g586-ccqf-7x4r
exploit
Hyperlink: https://github.com/elixir-mint/mint/security/advisories/GHSA-g586-ccqf-7x4r
Resource:
exploit
Details not found