CVE-2026-48862: Unbounded Resource Allocation via HTTP/2 PUSH_PROMISE Flooding in Mint
Vulnerability ID: CVE-2026-48862
CVSS Score: 8.2
Published: 2026-07-09
An allocation of resources without limits or throttling vulnerability in the Elixir Mint HTTP client library allows malicious HTTP/2 servers to trigger memory exhaustion and application denial of service. The flaw exists because Mint fails to validate server-push concurrency limits during the receipt of PUSH_PROMISE frames, deferring validation to the HEADERS phase. This allows a server to reserve an unlimited number of streams in the client's memory map.
TL;DR
A flaw in Elixir's Mint HTTP client allows hostile HTTP/2 servers to exhaust client memory by flooding PUSH_PROMISE frames without sending headers. This triggers unbounded state allocation in the Erlang VM and crashes the client.
Technical Details
- CWE ID: CWE-770 (Allocation of Resources Without Limits or Throttling)
- Attack Vector: Network
- CVSS Score: 8.2 (High)
- EPSS Score: 0.00384 (30.40th percentile)
- Impact: Denial of Service (Memory Exhaustion / Crash)
- Exploit Status: none (No public weaponized exploits)
- KEV Status: Not listed
Affected Systems
- Mint HTTP Client (Elixir)
-
mint: >= 0.2.0, < 1.9.0 (Fixed in:
1.9.0)
Code Analysis
Commit: 70b97b6
Fix unbounded memory growth in Mint HTTP/2 client via PUSH_PROMISE concurrency check
Mitigation Strategies
- Disable HTTP/2 Server Push explicitly in connection parameters when connecting to untrusted third-party endpoints.
- Upgrade the Mint dependency in Hex to version 1.9.0 or higher.
- Implement process-level memory limits within the Erlang VM to prevent single-process leaks from crashing the entire virtual machine.
Remediation Steps:
- Open the mix.exs file in the Elixir project.
- Locate the :mint dependency definition and update the version string to '>= 1.9.0'.
- Run the command 'mix deps.get' to fetch and compile the updated library.
- Verify the update by confirming that 'mix.lock' references version 1.9.0 or later.
- Redeploy the application to production.
References
- GitHub Security Advisory: GHSA-g586-ccqf-7x4r
- Official Patch Commit
- Erlang Ecosystem Foundation Advisory
- OSV Database Entry
- NVD Details Page
Read the full report for CVE-2026-48862 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)