Jul 9, 2026·7 min read·5 visits
A flaw in Elixir's Mint HTTP client allows hostile HTTP/2 servers to exhaust client memory by flooding PUSH_PROMISE frames without sending headers. This triggers unbounded state allocation in the Erlang VM and crashes the client.
An allocation of resources without limits or throttling vulnerability in the Elixir Mint HTTP client library allows malicious HTTP/2 servers to trigger memory exhaustion and application denial of service. The flaw exists because Mint fails to validate server-push concurrency limits during the receipt of PUSH_PROMISE frames, deferring validation to the HEADERS phase. This allows a server to reserve an unlimited number of streams in the client's memory map.
The Elixir package mint is a highly leveraged HTTP/1 and HTTP/2 client designed for the Erlang VM (BEAM). It provides low-level process-less connection management and is frequently utilized in high-concurrency environments. By default, Mint supports the HTTP/2 Server Push specification (RFC 7540 / RFC 9113), which allows a server to preemptively send resources to a client that it anticipates the client will request.
Under default configuration parameters, Server Push is automatically enabled (client_settings.enable_push defaults to true). When communicating over an HTTP/2 connection, a server initiates a push stream by transmitting a PUSH_PROMISE frame. This frame contains a promised stream ID and request headers. The receipt of this frame transitions the promised stream to a :reserved_remote state on the client side.
In vulnerable versions of Mint, the library fails to limit the number of streams a server can transition into this :reserved_remote state. A malicious or compromised server can leverage this state-tracking mechanism to execute a resource exhaustion attack. By sending a continuous stream of PUSH_PROMISE frames without ever fulfilling them, the server forces the client to allocate heap memory for each stream, eventually leading to process termination via an Out-Of-Memory (OOM) event.
The root cause of CVE-2026-48862 is an allocation of resources without limits (CWE-770) within the HTTP/2 frame parsing architecture. Specifically, the flaw lies in lib/mint/http2.ex inside the private function decode_push_promise_headers_and_add_response/5.
When Mint receives a PUSH_PROMISE frame, it immediately decodes the header block fragment (HBF) to keep the HPACK dynamic table state synchronized with the server. After decoding, the library constructs a stream representation map and inserts it into the active connection streams dictionary (conn.streams). At this point, the stream's state is designated as :reserved_remote.
While Mint tracks the max concurrency limit set by the client via client_settings.max_concurrent_streams, this check was historically only performed when the actual response HEADERS for the promised stream arrived. Because the state transition from :reserved_remote to an active state requires the receipt of these response headers, a server can bypass the concurrency cap entirely. By emitting an arbitrary number of PUSH_PROMISE frames and deliberately withholding the matching response HEADERS, the server ensures that the concurrency validation logic is never reached. Consequently, the size of the conn.streams map increases linearly and without limit for every frame received.
The official patch (Commit 70b97b6a5209fb288b0e04d8e657dda26c59de67) resolved the vulnerability by introducing pre-allocation accounting of the :reserved_remote streams.
In the vulnerable implementation, any valid PUSH_PROMISE frame was directly added to the stream collection without calculating current reserved limits:
# VULNERABLE CODE PATH
promised_stream = %{
id: promised_stream_id,
ref: make_ref(),
state: :reserved_remote,
send_window_size: conn.server_settings.initial_window_size,
receive_window_size: conn.client_settings.initial_window_size,
receive_window_remaining: conn.client_settings.initial_window_size,
received_first_headers?: false
}
conn = put_in(conn.streams[promised_stream.id], promised_stream)The patch addresses this by adding a new tracking metric, reserved_server_stream_count, to the core %Mint.HTTP2{} struct. When a PUSH_PROMISE frame is parsed, the combined total of active and reserved streams is calculated and checked against the client's limits at promise time:
# PATCHED CODE PATH
# First, the HPACK table is synchronized by decoding the headers
{conn, headers} = decode_hbf(conn, hbf)
# Calculate total streams currently occupied by the server
server_stream_count = conn.open_server_stream_count + conn.reserved_server_stream_count
# Enforce max concurrency before allocating the state map
if server_stream_count >= conn.client_settings.max_concurrent_streams do
conn = refuse_promised_stream(conn, promised_stream_id)
{conn, responses}
else
promised_stream = %{
id: promised_stream_id,
ref: make_ref(),
state: :reserved_remote,
# ... (window settings)
}
conn = put_in(conn.streams[promised_stream.id], promised_stream)
conn = update_in(conn.reserved_server_stream_count, &(&1 + 1))
new_response = {:push_promise, stream.ref, promised_stream.ref, headers}
{conn, [new_response | responses]}
endAdditionally, the patch safely decrements the reserved_server_stream_count in lib/mint/http2.ex whenever a stream transition occurs or when a connection reset resets a reserved stream. If the limit is exceeded, refuse_promised_stream/2 is executed, which encodes and transmits an HTTP/2 RST_STREAM frame with the error code :refused_stream back to the server. The refused stream is never committed to the client's in-memory dictionary, bounding memory usage.
An attacker must construct a malicious HTTP/2 server or compromise an upstream server to execute this attack. The target (the Elixir client) must initiate an outbound connection to this hostile endpoint. No user interaction or specialized privileges are required to perform the attack once the network connection is established.
Upon receiving the client's initial request, the malicious server transmits a rapid sequence of PUSH_PROMISE frames. Under the HTTP/2 specification, the promised stream identifier must be an even integer and must not have been previously utilized. The server generates thousands of sequential, even stream IDs (e.g., 4, 6, 8, 10, ...).
For each PUSH_PROMISE sent, the server specifies headers but intentionally never transmits the corresponding response headers that would open and subsequently close the stream. As the client parses each frame, its conn.streams map grows. Within the BEAM virtual machine, each entry in this map allocates heap space for the tracking metadata and a unique reference created via make_ref(). Under a sustained flood, the memory footprint of the Elixir process hosting the connection expands exponentially, exhausting system memory and causing the OS kernel or the BEAM runtime to terminate the application process.
While the applied patch successfully mitigates unbounded stream allocation, secondary vectors must be evaluated by security engineers maintaining HTTP/2 client infrastructures.
First, because the client is required to maintain HPACK dynamic table state synchronization, it must execute decode_hbf/2 on every incoming PUSH_PROMISE frame, including those it immediately refuses. A malicious server could exploit this requirement by sending an endless stream of highly compressed, mathematically complex headers (HPACK dynamic table manipulations or 'HPACK Bombs'). Although the streams are discarded, the CPU cycles spent decoding the HBF and the temporary heap allocations needed during processing present a secondary Denial of Service vector.
Second, an attacker could implement a slow-concurrency attack. By opening exactly the maximum allowed concurrent streams (e.g., 100 streams) and keeping them in the :reserved_remote state permanently, the server can exhaust the client's push capacity. While this does not cause memory exhaustion, it results in a logical Denial of Service for any subsequent legitimate server push frames.
To fully remediate CVE-2026-48862, organizations must upgrade Mint to version 1.9.0 or higher. This version introduces the proactive concurrency limit verification and counts reserved streams against the client-side concurrency cap.
If upgrading the library is not immediately feasible due to deployment or dependency pinning constraints, administrators must disable HTTP/2 Server Push. This can be configured globally or per-connection by setting the :enable_push option to false within the Mint connection parameters:
# Workaround configuration to disable server push
{:ok, conn} = Mint.HTTP.connect(:https, "endpoint.example.com", 443, [
client_settings: [enable_push: false]
])When :enable_push is disabled, Mint's frame decoder automatically drops or rejects any incoming PUSH_PROMISE frames at the frame-parsing layer, returning a protocol error to the server. This prevents the execution of the vulnerable state-allocation code path, completely neutralizing the attack vector.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N| Product | Affected Versions | Fixed Version |
|---|---|---|
mint elixir-mint | >= 0.2.0, < 1.9.0 | 1.9.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-770 (Allocation of Resources Without Limits or Throttling) |
| Attack Vector | Network |
| CVSS Score | 8.2 (High) |
| EPSS Score | 0.00384 (30.40th percentile) |
| Impact | Denial of Service (Memory Exhaustion / Crash) |
| Exploit Status | none (No public weaponized exploits) |
| KEV Status | Not listed |
The system allocates memory or other resources based on user-controlled inputs without enforcing limits on the maximum volume of resources allocated.
An Improper Encoding or Escaping of Output vulnerability (CWE-116) in elixir-tesla allowed unauthenticated remote code execution or request smuggling via unescaped Content-Disposition parameters in multipart form-data requests.
CVE-2026-49851 is a high-severity algorithmic complexity vulnerability in the Mistune Markdown parser. Under specific conditions involving dense, unmatched nesting of opening square brackets, the parser fallback loops degrade from linear execution time to a worst-case quadratic complexity. This allows unauthenticated remote attackers to trigger complete CPU exhaustion and subsequent Denial of Service with a highly compact payload.
An unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki prior to version 4.6.6. The application attempts to validate mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This design leads to both Regular Expression Denial of Service (ReDoS) and Remote Code Execution (RCE) via validation bypass.
An infinite loop vulnerability exists in the pure-Python PDF library pypdf prior to version 6.13.1. When parsing or merging a crafted PDF file containing a cyclic Article/Thread structure, the library fails to exit its traversal loop. This causes the executing thread to hang indefinitely, leading to 100% CPU utilization and a denial of service. The vulnerability is tracked under CVE-2026-54651 and GHSA-g9xf-7f8q-9mcj, with a CVSS base score of 5.5. This technical report provides a root cause analysis, code review, exploitation vectors, and mitigation paths.
The Netty-based HTTP Client in the Micronaut framework fails to enforce a maximum redirect ceiling by default when processing HTTP responses. This permits remote, attacker-controlled servers to trigger continuous, infinite redirect loops. The resulting recursion causes high CPU utilization, thread starvation, and potential memory exhaustion, inducing a Denial of Service (DoS) state in client-side applications.
An information disclosure vulnerability exists in the Micronaut Framework's HTTP client components. The client fails to clear sensitive authorization headers and cookies when following redirects across different origins. If an application using the vulnerable client communicates with an endpoint that issues a redirect to an external host, the client will forward the original credentials, leading to potential token theft and session hijacking.