Description
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood).

When Mint's HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity).

A malicious or compromised HTTP/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client's iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient.

This issue affects mint: from 0.1.0 before 1.9.0.
Published: 2026-06-02
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a resource‑exhaustion flaw originating from the HTTP/2 CONTINUATION frame handling path in Mint. Attackers can send an unbounded sequence of CONTINUATION frames, which are appended to an in‑memory accumulator without any per‑stream size limit or frame‑count limit. The result is uncontrolled growth of the iolist that drives memory usage arbitrarily high, eventually exhausting the BEAM process and causing it to terminate. This flaw is classified as CWE‑770 and demonstrates that the client has no throttling or limiting mechanisms for inbound header blocks.

Affected Systems

Elixir‑mint Mint clients ranging from the initial 0.1.0 release up to, but not including, version 1.9.0 are affected. Any installation that relies on a Mint version older than 1.9.0 and communicates with HTTP/2 servers that may be compromised or malicious is vulnerable. The official CPE string identifies the product as elixir‑mint:mint, and the vulnerability applies to all prior releases.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity classification. The EPSS value is not provided, but the flaw is listed as not being part of the CISA KEV catalog. A single outbound connection to an attacker‑controlled HTTP/2 endpoint constitutes sufficient preconditions for exploitation; no authentication or special privileges are required. Because the vulnerable code path lacks any safeguard against excessive memory allocation, the exploitation pathway is straightforward for an attacker who can establish a connection to the client, making the risk relatively high if the client receives requests from untrusted servers.

Generated by OpenCVE AI on June 2, 2026 at 16:40 UTC.

Remediation

Vendor Workaround

Restrict Mint to HTTP/1 on connections to untrusted servers by passing protocols: [:http1] to Mint.HTTP.connect/4. This avoids the vulnerable HTTP/2 receive path entirely, at the cost of losing HTTP/2 for those connections.

OpenCVE Recommended Actions

  • Upgrade the Mint client to version 1.9.0 or later to apply the vendor fix.
  • If upgrading is not possible immediately, configure Mint to use only HTTP/1.1 for connections to untrusted servers; e.g., pass protocols: [:http1] to Mint.HTTP.connect/4, which bypasses the vulnerable HTTP/2 receive path.
  • Monitor the application for signs of abnormal memory usage or BEAM process crashes, and trigger an alert if such symptoms occur.

Generated by OpenCVE AI on June 2, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood). When Mint's HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity). A malicious or compromised HTTP/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client's iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient. This issue affects mint: from 0.1.0 before 1.9.0.
Title HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation
First Time appeared Elixir-mint
Elixir-mint mint
Weaknesses CWE-770
CPEs cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*
Vendors & Products Elixir-mint
Elixir-mint mint
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Elixir-mint Mint
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-02T19:14:33.100Z

Reserved: 2026-06-01T13:45:22.448Z

Link: CVE-2026-49754

cve-icon Vulnrichment

Updated: 2026-06-02T18:07:25.237Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T16:16:44.930

Modified: 2026-06-02T20:16:40.010

Link: CVE-2026-49754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T17:45:05Z

Weaknesses