DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-49754: CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint

CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint

Vulnerability ID: CVE-2026-49754
CVSS Score: 8.2
Published: 2026-07-09

An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.

TL;DR

An unauthenticated, remote attacker can crash any Elixir application utilizing the Mint client library to establish HTTP/2 connections by hosting a malicious server that streams an infinite series of HTTP/2 CONTINUATION frames.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network
  • CVSS v4.0 Score: 8.2 (High)
  • Exploit Maturity: Proof-of-Concept (PoC)
  • EPSS Score: 0.00384
  • CISA KEV Status: Not Listed

Affected Systems

  • Applications utilizing the Elixir Mint HTTP client library for outbound HTTP/2 connections.
  • mint: >= 0.1.0, < 1.9.0 (Fixed in: 1.9.0)

Code Analysis

Commit: b662d12

Bound size of accumulated header blocks to protect against HTTP/2 CONTINUATION floods

@@ -156,6 +156,12 @@ defmodule Mint.HTTP2 do
   @default_max_frame_size 16_384
   @valid_max_frame_size_range @default_max_frame_size..16_777_215

+  # Default cap on the size of an inbound header block.
+  @default_max_header_list_size 256 * 1024
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Security Advisory: Official replication details verified by Mint maintainers via integrated project unit tests, showing OOM crashes after approximately 64,000 continuous frames.

Mitigation Strategies

  • Upgrade the Mint library dependency to version 1.9.0 or higher.
  • Restrict connection protocols to HTTP/1.1 when connecting to external or untrusted endpoints to bypass the HTTP/2 continuation frame logic.
  • Implement deep packet inspection or proxy limits on outbound HTTP/2 connections to enforce strict limits on continuous framing sequences.

Remediation Steps:

  1. Open the Elixir project configuration file mix.exs.
  2. Locate the deps definition and update the mint dependency requirement to version ~> 1.9.
  3. Run mix deps.get in your development terminal to download and integrate the updated version.
  4. Deploy the updated application build to production environments.
  5. For temporary emergency mitigations, modify connection calls in the application code to use the configuration option protocols: [:http1].

References


Read the full report for CVE-2026-49754 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)