PT-2026-55926 · Hexpm · Hpax
Andrea Leopardi
+2
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-58226
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
hpax versions 0.1.1 through 1.0.3
Description
An inefficient algorithmic complexity issue exists during the decoding of HPACK variable-length integers. The
Elixir.HPAX.Types:decode remaining integer/3 function, accessed via the Elixir.HPAX:decode/2 entry point, does not impose an upper bound on the decoded value or the number of continuation octets. Since BEAM integers use arbitrary precision, a sequence of continuation octets creates an O(N)-bit bignum, resulting in a superlinear decoding cost of approximately O(N^2). An unauthenticated attacker can exploit this by sending a small HTTP/2 header block that consumes excessive CPU and transient memory, leading to a denial-of-service amplification.Recommendations
Update hpax to version 1.0.4 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hpax