CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint
Vulnerability ID: CVE-2026-49754
CVSS Score: 8.2
Published: 2026-07-09
An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.
TL;DR
An unauthenticated, remote attacker can crash any Elixir application utilizing the Mint client library to establish HTTP/2 connections by hosting a malicious server that streams an infinite series of HTTP/2 CONTINUATION frames.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-770
- Attack Vector: Network
- CVSS v4.0 Score: 8.2 (High)
- Exploit Maturity: Proof-of-Concept (PoC)
- EPSS Score: 0.00384
- CISA KEV Status: Not Listed
Affected Systems
- Applications utilizing the Elixir Mint HTTP client library for outbound HTTP/2 connections.
-
mint: >= 0.1.0, < 1.9.0 (Fixed in:
1.9.0)
Code Analysis
Commit: b662d12
Bound size of accumulated header blocks to protect against HTTP/2 CONTINUATION floods
@@ -156,6 +156,12 @@ defmodule Mint.HTTP2 do
@default_max_frame_size 16_384
@valid_max_frame_size_range @default_max_frame_size..16_777_215
+ # Default cap on the size of an inbound header block.
+ @default_max_header_list_size 256 * 1024
Exploit Details
- GitHub Security Advisory: Official replication details verified by Mint maintainers via integrated project unit tests, showing OOM crashes after approximately 64,000 continuous frames.
Mitigation Strategies
- Upgrade the Mint library dependency to version 1.9.0 or higher.
- Restrict connection protocols to HTTP/1.1 when connecting to external or untrusted endpoints to bypass the HTTP/2 continuation frame logic.
- Implement deep packet inspection or proxy limits on outbound HTTP/2 connections to enforce strict limits on continuous framing sequences.
Remediation Steps:
- Open the Elixir project configuration file
mix.exs. - Locate the
depsdefinition and update themintdependency requirement to version~> 1.9. - Run
mix deps.getin your development terminal to download and integrate the updated version. - Deploy the updated application build to production environments.
- For temporary emergency mitigations, modify connection calls in the application code to use the configuration option
protocols: [:http1].
References
- GitHub Advisory: Allocation of Resources Without Limits or Throttling in elixir-mint
- Erlang Ecosystem Foundation Security Advisory
- Open Source Vulnerability Database Entry
Read the full report for CVE-2026-49754 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)