Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-49754
PUBLISHED
More InfoOfficial Page
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
View Known Exploited Vulnerability (KEV) details
Published At-02 Jun, 2026 | 14:15
Updated At-02 Jun, 2026 | 19:14
Rejected At-
▼CVE Numbering Authority (CNA)
HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood). When Mint's HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity). A malicious or compromised HTTP/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client's iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient. This issue affects mint: from 0.1.0 before 1.9.0.

Affected Products
Vendor
elixir-mint
Product
mint
Collection URL
https://repo.hex.pm
Package Name
mint
Repo
https://github.com/elixir-mint/mint
CPEs
  • cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Mint.HTTP2'
Program Files
  • lib/mint/http2.ex
Program Routines
  • 'Elixir.Mint.HTTP2':handle_continuation/3
  • 'Elixir.Mint.HTTP2':handle_headers/3
Default Status
unaffected
Versions
Affected
  • From 0.1.0 before 1.9.0 (semver)
Vendor
elixir-mint
Product
mint
Collection URL
https://github.com
Package Name
elixir-mint/mint
Repo
https://github.com/elixir-mint/mint.git
CPEs
  • cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Mint.HTTP2'
Program Files
  • lib/mint/http2.ex
Program Routines
  • 'Elixir.Mint.HTTP2':handle_continuation/3
  • 'Elixir.Mint.HTTP2':handle_headers/3
Default Status
unaffected
Versions
Affected
  • From 596ca4304504be68939c4929e0831557097962b8 before b662d127d3028b5426c88d4c9cc7fe430491a10b (git)
Problem Types
TypeCWE IDDescription
CWECWE-770CWE-770 Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-770
Description: CWE-770 Allocation of Resources Without Limits or Throttling
Metrics
VersionBase scoreBase severityVector
4.08.2HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-130CAPEC-130 Excessive Allocation
CAPEC ID: CAPEC-130
Description: CAPEC-130 Excessive Allocation
Solutions

Configurations

Workarounds

Restrict Mint to HTTP/1 on connections to untrusted servers by passing protocols: [:http1] to Mint.HTTP.connect/4. This avoids the vulnerable HTTP/2 receive path entirely, at the cost of losing HTTP/2 for those connections.

Exploits

Credits

finder
Peter Ullrich
remediation developer
Eric Meadows-Jönsson
analyst
Jonatan Männchen / EEF
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8
vendor-advisory
related
https://cna.erlef.org/cves/CVE-2026-49754.html
related
https://osv.dev/vulnerability/EEF-CVE-2026-49754
related
https://github.com/elixir-mint/mint/commit/b662d127d3028b5426c88d4c9cc7fe430491a10b
patch
Hyperlink: https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8
Resource:
vendor-advisory
related
Hyperlink: https://cna.erlef.org/cves/CVE-2026-49754.html
Resource:
related
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-49754
Resource:
related
Hyperlink: https://github.com/elixir-mint/mint/commit/b662d127d3028b5426c88d4c9cc7fe430491a10b
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8
exploit
Hyperlink: https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8
Resource:
exploit
Details not found