DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48862: CVE-2026-48862: Unbounded Resource Allocation via HTTP/2 PUSH_PROMISE Flooding in Mint

CVE-2026-48862: Unbounded Resource Allocation via HTTP/2 PUSH_PROMISE Flooding in Mint

Vulnerability ID: CVE-2026-48862
CVSS Score: 8.2
Published: 2026-07-09

An allocation of resources without limits or throttling vulnerability in the Elixir Mint HTTP client library allows malicious HTTP/2 servers to trigger memory exhaustion and application denial of service. The flaw exists because Mint fails to validate server-push concurrency limits during the receipt of PUSH_PROMISE frames, deferring validation to the HEADERS phase. This allows a server to reserve an unlimited number of streams in the client's memory map.

TL;DR

A flaw in Elixir's Mint HTTP client allows hostile HTTP/2 servers to exhaust client memory by flooding PUSH_PROMISE frames without sending headers. This triggers unbounded state allocation in the Erlang VM and crashes the client.


Technical Details

  • CWE ID: CWE-770 (Allocation of Resources Without Limits or Throttling)
  • Attack Vector: Network
  • CVSS Score: 8.2 (High)
  • EPSS Score: 0.00384 (30.40th percentile)
  • Impact: Denial of Service (Memory Exhaustion / Crash)
  • Exploit Status: none (No public weaponized exploits)
  • KEV Status: Not listed

Affected Systems

  • Mint HTTP Client (Elixir)
  • mint: >= 0.2.0, < 1.9.0 (Fixed in: 1.9.0)

Code Analysis

Commit: 70b97b6

Fix unbounded memory growth in Mint HTTP/2 client via PUSH_PROMISE concurrency check

Mitigation Strategies

  • Disable HTTP/2 Server Push explicitly in connection parameters when connecting to untrusted third-party endpoints.
  • Upgrade the Mint dependency in Hex to version 1.9.0 or higher.
  • Implement process-level memory limits within the Erlang VM to prevent single-process leaks from crashing the entire virtual machine.

Remediation Steps:

  1. Open the mix.exs file in the Elixir project.
  2. Locate the :mint dependency definition and update the version string to '>= 1.9.0'.
  3. Run the command 'mix deps.get' to fetch and compile the updated library.
  4. Verify the update by confirming that 'mix.lock' references version 1.9.0 or later.
  5. Redeploy the application to production.

References


Read the full report for CVE-2026-48862 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)