Description
Inefficient Algorithmic Complexity vulnerability in elixir-mint hpax allows unauthenticated denial-of-service via unbounded HPACK integer decoding.

hpax decodes HPACK variable-length integers with no upper bound on the decoded value or the number of continuation octets. 'Elixir.HPAX.Types':decode_remaining_integer/3 accumulates the integer as int + (value <<< m), shifting by 7 more bits for each continuation octet and stopping only on a terminating octet or truncated input, never because the integer grew too large. Because BEAM integers are arbitrary precision, a run of N continuation octets builds an O(N)-bit bignum and re-adds into an ever-larger bignum on each step, so the total decoding cost is superlinear (about O(N^2)). An unauthenticated attacker who can send an HTTP/2 header block to a server using this decoder (reached through the 'Elixir.HPAX':decode/2 entry point) can supply a small header block that forces a large, attacker-controlled amount of CPU (and transient memory), a denial-of-service amplification.

This issue affects hpax from 0.1.1 before 1.0.4.
Published: 2026-07-06
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

hpax decodes HPACK variable-length integers without an upper bound on either the integer value or the number of continuation octets. The decode algorithm accumulates the integer as a bignum, shifting by seven bits for each continuation octet and stopping only on a terminating octet. Because BEAM supports arbitrary precision integers, a long stream of continuation octets creates an O(N)-bit bignum and the cumulative decoding cost grows superlinearly, approximately O(N²). An unauthenticated attacker who can send an HTTP/2 header block to a server using this decoder can supply a small header block that forces a large amount of CPU and transient memory, resulting in a denial‑of‑service amplification.

Affected Systems

The vulnerability affects the elixir-mint hpax library, versions prior to 1.0.4, including all releases from 0.1.1 up to but not including 1.0.4. In particular, any Elixir application that uses hpax to decode HTTP/2 header blocks is susceptible.

Risk and Exploitability

The CVSS score of 8.7 marks this issue as high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. An attacker can trigger the exploit from any network-facing endpoint that accepts HTTP/2 requests, and no authentication is required. The amplification via CPU consumption can exhaust server resources and deny service to legitimate clients.

Generated by OpenCVE AI on July 6, 2026 at 17:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the hpax library to version 1.0.4 or later, which limits the number of continuation octets.
  • If an update is not immediately possible, configure the application or reverse proxy to constrain the size of HTTP/2 header blocks and enforce request‑timeout limits to mitigate excessive CPU usage.
  • Monitor system metrics for abnormal CPU or memory spikes that may indicate an attempted exploitation.

Generated by OpenCVE AI on July 6, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
Description Inefficient Algorithmic Complexity vulnerability in elixir-mint hpax allows unauthenticated denial-of-service via unbounded HPACK integer decoding. hpax decodes HPACK variable-length integers with no upper bound on the decoded value or the number of continuation octets. 'Elixir.HPAX.Types':decode_remaining_integer/3 accumulates the integer as int + (value <<< m), shifting by 7 more bits for each continuation octet and stopping only on a terminating octet or truncated input, never because the integer grew too large. Because BEAM integers are arbitrary precision, a run of N continuation octets builds an O(N)-bit bignum and re-adds into an ever-larger bignum on each step, so the total decoding cost is superlinear (about O(N^2)). An unauthenticated attacker who can send an HTTP/2 header block to a server using this decoder (reached through the 'Elixir.HPAX':decode/2 entry point) can supply a small header block that forces a large, attacker-controlled amount of CPU (and transient memory), a denial-of-service amplification. This issue affects hpax from 0.1.1 before 1.0.4.
Title Unauthenticated denial-of-service via unbounded HPACK integer decoding in hpax
First Time appeared Elixir-mint
Elixir-mint hpax
Weaknesses CWE-407
CPEs cpe:2.3:a:elixir-mint:hpax:*:*:*:*:*:*:*:*
Vendors & Products Elixir-mint
Elixir-mint hpax
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Elixir-mint Hpax
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-07-06T14:04:14.632Z

Reserved: 2026-06-29T18:54:08.633Z

Link: CVE-2026-58226

cve-icon Vulnrichment

Updated: 2026-07-06T12:49:22.337Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T22:41:08Z

Weaknesses
  • CWE-407

    Inefficient Algorithmic Complexity