PT-2026-57994 · Hexpm · Elixir-Mint
Andrea Leopardi
+1
·
Published
2026-07-14
·
Updated
2026-07-14
·
CVE-2026-59246
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
elixir-mint versions 0.1.0 through 1.9.1
Description
A remote HTTP/2 server can cause memory exhaustion and a denial of service on the client host. The
handle continuation/3 function in lib/mint/http2.ex accumulates header-block fragments from HTTP/2 CONTINUATION frames into a nesting structure that only releases upon receiving a frame with the END HEADERS flag. While there is a size limit check via assert header block within max size/2, the protocol allows CONTINUATION frames to have zero-length payloads. An attacker can send an unbounded chain of these zero-length frames, which bypasses the size cap and continuously increases memory consumption by adding one cons cell per frame, eventually leading to out-of-memory termination of the BEAM node.Recommendations
Update elixir-mint to version 1.9.2 or later.
Exploit
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Elixir-Mint