PT-2026-57994 · Hexpm · Elixir-Mint

Andrea Leopardi

+1

·

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-59246

CVSS v4.0

6.3

Medium

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions elixir-mint versions 0.1.0 through 1.9.1
Description A remote HTTP/2 server can cause memory exhaustion and a denial of service on the client host. The handle continuation/3 function in lib/mint/http2.ex accumulates header-block fragments from HTTP/2 CONTINUATION frames into a nesting structure that only releases upon receiving a frame with the END HEADERS flag. While there is a size limit check via assert header block within max size/2, the protocol allows CONTINUATION frames to have zero-length payloads. An attacker can send an unbounded chain of these zero-length frames, which bypasses the size cap and continuously increases memory consumption by adding one cons cell per frame, eventually leading to out-of-memory termination of the BEAM node.
Recommendations Update elixir-mint to version 1.9.2 or later.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59246

Affected Products

Elixir-Mint