Description
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding.

In lib/mint/http2.ex, Mint.HTTP2.decode_push_promise_headers_and_add_response/5 inserts a :reserved_remote entry into conn.streams for every promised stream ID. The neighbouring Mint.HTTP2.assert_valid_promised_stream_id/2 only verifies that the promised ID is even and not already present; client_settings.max_concurrent_streams is not consulted at promise time. The concurrency cap is only checked when the response HEADERS for the promised stream arrive, so a server that emits PUSH_PROMISE frames and withholds the matching HEADERS never trips that check.

HTTP/2 server push is accepted by default (client_settings.enable_push defaults to true). A single long-lived HTTP/2 connection to a hostile server lets that server pin one conn.streams entry per PUSH_PROMISE frame it sends, with no upper bound, until the client process runs out of memory.

This issue affects mint: from 0.2.0 before 1.9.0.
Published: 2026-06-02
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Mint HTTP/2 client allocates a reserved stream entry for every inbound PUSH_PROMISE frame without checking the configured max_concurrent_streams limit. The concurrency cap is only validated when the promised stream’s HEADERS arrive, so a server can send many PUSH_PROMISE frames and withhold the matching HEADERS until the client is overwhelmed. An attacker controlling an HTTP/2 server can therefore force the client to grow its internal conn.streams table without bound, exhausting heap memory and ultimately crashing or becoming unresponsive.

Affected Systems

The vulnerability affects elixir‑mint:mint releases from 0.2.0 up through, but not including, 1.9.0. Default configuration enables HTTP/2 server push; clients that allow push from unfamiliar servers are vulnerable. The issue is tied to the client library itself and not to application code that uses it.

Risk and Exploitability

The CVSS base score of 8.2 indicates high severity, and the EPSS score is not currently available. The exploit requires only a persistent HTTP/2 connection to a malicious server with server push enabled, a scenario that an attacker can easily orchestrate. Though not listed in the CISA KEV catalog, the lack of an upper bound on stream entries means a single long‑lived connection can deplete system memory, posing a significant risk to services that depend on continuous uptime.

Generated by OpenCVE AI on June 2, 2026 at 17:06 UTC.

Remediation

Vendor Workaround

Disable HTTP/2 server push on connections to untrusted servers by passing client_settings: [enable_push: false] to Mint.HTTP.connect/4. This makes Mint reject any inbound PUSH_PROMISE frame with a PROTOCOL_ERROR before the vulnerable code path is reached.

OpenCVE Recommended Actions

  • Update Mint to version 1.9.0 or newer to enforce PUSH_PROMISE limits
  • Disable HTTP/2 server push by passing client_settings: [enable_push: false] when calling Mint.HTTP.connect/4, causing PUSH_PROMISE frames to be rejected with a PROTOCOL_ERROR before the vulnerable code runs
  • Add monitoring for abnormal memory growth or stalled connections, and enforce connection throttling or limits if feasible

Generated by OpenCVE AI on June 2, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding. In lib/mint/http2.ex, Mint.HTTP2.decode_push_promise_headers_and_add_response/5 inserts a :reserved_remote entry into conn.streams for every promised stream ID. The neighbouring Mint.HTTP2.assert_valid_promised_stream_id/2 only verifies that the promised ID is even and not already present; client_settings.max_concurrent_streams is not consulted at promise time. The concurrency cap is only checked when the response HEADERS for the promised stream arrive, so a server that emits PUSH_PROMISE frames and withholds the matching HEADERS never trips that check. HTTP/2 server push is accepted by default (client_settings.enable_push defaults to true). A single long-lived HTTP/2 connection to a hostile server lets that server pin one conn.streams entry per PUSH_PROMISE frame it sends, with no upper bound, until the client process runs out of memory. This issue affects mint: from 0.2.0 before 1.9.0.
Title Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrency
First Time appeared Elixir-mint
Elixir-mint mint
Weaknesses CWE-770
CPEs cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*
Vendors & Products Elixir-mint
Elixir-mint mint
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Elixir-mint Mint
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-02T19:14:09.683Z

Reserved: 2026-05-25T20:44:10.697Z

Link: CVE-2026-48862

cve-icon Vulnrichment

Updated: 2026-06-02T18:10:50.687Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T16:16:44.627

Modified: 2026-06-02T20:16:39.250

Link: CVE-2026-48862

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:51:05Z

Weaknesses