PT-2026-55926 · Hexpm · Hpax

Andrea Leopardi

+2

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-58226

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions hpax versions 0.1.1 through 1.0.3
Description An inefficient algorithmic complexity issue exists during the decoding of HPACK variable-length integers. The Elixir.HPAX.Types:decode remaining integer/3 function, accessed via the Elixir.HPAX:decode/2 entry point, does not impose an upper bound on the decoded value or the number of continuation octets. Since BEAM integers use arbitrary precision, a sequence of continuation octets creates an O(N)-bit bignum, resulting in a superlinear decoding cost of approximately O(N^2). An unauthenticated attacker can exploit this by sending a small HTTP/2 header block that consumes excessive CPU and transient memory, leading to a denial-of-service amplification.
Recommendations Update hpax to version 1.0.4 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58226
GHSA-JJ2P-32J7-WHJ2

Affected Products

Hpax