CVE-2026-48862

Name of the Vulnerable Software and Affected Versions mint versions 0.2.0 through 1.8.x

Description An issue exists where attacker-controlled HTTP/2 servers can exhaust memory in a client via PUSH PROMISE flooding. In the file lib/mint/http2.ex, the function decode push promise headers and add response/5 inserts a :reserved remote entry into conn.streams for every promised stream ID. The function assert valid promised stream id/2 only verifies that the promised ID is even and not already present, failing to consult client settings.max concurrent streams at the time of the promise. Because the concurrency cap is only checked when response HEADERS arrive, a server that sends PUSH PROMISE frames but withholds the matching HEADERS can pin entries in conn.streams without an upper bound, leading to memory exhaustion. This is possible because HTTP/2 server push is enabled by default via client settings.enable push.

Recommendations Update to version 1.9.0 or later. As a temporary workaround, disable HTTP/2 server push on connections to untrusted servers by passing client settings: [enable push: false] to the connect/4 function.