CVE-2026-49754

Name of the Vulnerable Software and Affected Versions elixir-mint versions 0.1.0 through 1.8.x

Description An issue exists where attacker-controlled HTTP/2 servers can cause memory exhaustion in a client. This occurs because the HTTP/2 receive path does not cap the accumulator when a HEADERS frame is observed without the END HEADERS flag. Subsequent CONTINUATION frames are appended to conn.headers being processed without per-stream size limits or frame-count limits. Additionally, max header list size is only enforced on outgoing requests and not on inbound header blocks. A malicious server can stream an endless sequence of CONTINUATION frames, driving the client's iolist to an arbitrary size, which leads to memory exhaustion and BEAM process death.

Recommendations Update to version 1.9.0 or later. Restrict connections to untrusted servers to HTTP/1 by passing protocols: [:http1] to the Mint.HTTP.connect/4 function to avoid the vulnerable HTTP/2 receive path.