CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-49754

CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 10, 2026·6 min read·6 visits

Executive Summary (TL;DR)

An unauthenticated, remote attacker can crash any Elixir application utilizing the Mint client library to establish HTTP/2 connections by hosting a malicious server that streams an infinite series of HTTP/2 CONTINUATION frames.

An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.

Vulnerability Overview

The Mint library is an HTTP/1 and HTTP/2 client for Elixir, widely used within the Erlang Ecosystem for low-level protocol management. During HTTP/2 processing, Mint relies on a state machine to parse incoming streams. One of the core mechanics of HTTP/2 is frame-based multiplexing, which includes dividing large header sets across multiple frames using the CONTINUATION frame format.

Under normal execution, if a HEADERS or PUSH_PROMISE frame exceeds the maximum allowed payload size, the server clears the END_HEADERS flag and transmits the remaining block inside successive CONTINUATION frames. The client is obligated to buffer these unparsed fragments until it receives a CONTINUATION frame containing the END_HEADERS flag. This design introduces an attack surface where a peer can send frames indefinitely without closing the sequence.

In vulnerable versions of Mint (versions 0.1.0 up to 1.9.0), the parser did not enforce boundaries on the size or count of incoming CONTINUATION frames. This omission allows an attacker-controlled server to trigger a denial of service (DoS). A single connection to an attacker-controlled HTTP/2 endpoint is sufficient to exhaust the memory of the client host, causing a crash of the entire Erlang Virtual Machine.

Root Cause Analysis

The root cause of CVE-2026-49754 is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). When the Mint HTTP/2 engine processes a HEADERS frame without the END_HEADERS flag, it initiates a holding structure in the connection state. The unparsed fragment is saved in the conn.headers_being_processed tuple, awaiting the completion of the header block.

For each subsequent CONTINUATION frame received on that stream, Mint appends the new raw binary data to an accumulator list (iolist). The state machine relies on the default value of the :max_header_list_size configuration to define processing boundaries. In vulnerable releases, this configuration defaulted to :infinity for the receive path, and validation was only performed on outbound requests rather than inbound header blocks.

Because the receiver lacks an upper bound checking mechanism during accumulation, an attacker can stream an endless sequence of CONTINUATION frames. Each frame can contain up to the maximum negotiated payload size, typically 16 KiB. As the client process structures these pieces into an internal nested list, the memory consumption of the host Erlang VM process grows linearly with each frame, eventually triggering a kernel-level out-of-memory (OOM) termination.

Code-Level Analysis

The vulnerability manifests in how the receive state machine updates the state when receiving consecutive chunks. The original, vulnerable parsing implementation dynamically grew the connection state list without computing size limits.

# Vulnerable code structure in Mint.HTTP2
{^stream_id, hbf_acc, callback} = conn.headers_being_processed
 
if flag_set?(flags, :continuation, :end_headers) do
  hbf = IO.iodata_to_binary([hbf_acc, hbf_chunk])
  conn = put_in(conn.headers_being_processed, nil)
  callback.(conn, responses, hbf, stream)
else
  # Vulnerability: Unbounded accumulation of chunks into the connection state
  conn = put_in(conn.headers_being_processed, {stream_id, [hbf_acc, hbf_chunk], callback})
  {conn, responses}
end

The patched version introduces a tuple containing four elements: {stream_id, hbf_acc, callback, acc_size}. The implementation now explicitly calculates the cumulative byte size in $O(1)$ time complexity for every incoming frame chunk.

# Patched code structure in Mint.HTTP2
{^stream_id, hbf_acc, callback, acc_size} = conn.headers_being_processed
 
if flag_set?(flags, :continuation, :end_headers) do
  hbf = IO.iodata_to_binary([hbf_acc, hbf_chunk])
  conn = put_in(conn.headers_being_processed, nil)
  callback.(conn, responses, hbf, stream)
else
  new_size = acc_size + byte_size(hbf_chunk)
  # Validation is enforced immediately on each chunk arrival
  conn = assert_header_block_within_max_size(conn, new_size)
 
  conn = put_in(
    conn.headers_being_processed,
    {stream_id, [hbf_acc, hbf_chunk], callback, new_size}
  )
  {conn, responses}
end

The check evaluates the current accumulator size against the locally defined max_header_list_size value. By default, this value has been changed from :infinity to 256 KB. If the total byte size exceeds this threshold, the connection terminates with a protocol error, preventing memory exhaustion.

Exploitation Methodology

Exploiting CVE-2026-49754 requires that a vulnerable Mint client establish an outbound HTTP/2 connection to an attacker-controlled endpoint. No administrative credentials or previous authentications are required. The attack succeeds purely based on protocol-level frame delivery.

Once the client initiates a request, the malicious server responds by sending a HEADERS frame without the END_HEADERS flag set. The server then streams a continuous loop of standard HTTP/2 CONTINUATION frames. Each frame contains maximum payload data, typically formatted as arbitrary or structured bytes. The server purposely avoids transmitting the END_HEADERS flag inside any subsequent frames.

Because the victim's client parser accumulates all payloads into the heap of the active connection process, memory exhaustion occurs rapidly. Laboratory replication reveals that sending approximately 64,000 frames (each containing 16 KiB of dummy payload) consumes over 1 GiB of RAM within seconds. The high rate of frame generation allows an attacker to quickly exhaust system memory and crash the client process.

Security Impact Assessment

The impact of CVE-2026-49754 is a complete loss of client availability. Because the Erlang Runtime System (BEAM) executes multiple concurrent applications and supervisors on a single VM, a crash in the low-level HTTP client process can propagate, leading to the termination of the entire system.

The vulnerability is highly critical for Elixir systems that query untrusted third-party services, perform web scraping, or parse outbound webhooks. An adversary can trigger a crash across an entire cluster of microservices by returning a crafted response to an outbound API call.

There is no risk to data integrity or confidentiality, as the bug does not allow arbitrary code execution, file disclosure, or privilege escalation. The CVSS 4.0 score of 8.2 reflects this high impact on availability, combined with low attack complexity.

Remediation and Mitigation

To resolve the vulnerability, developers must upgrade the mint dependency in their Mix configuration to version 1.9.0 or later. This version enforces strict bounds checking and changes the default maximum header block size from :infinity to 256 KB.

If upgrading is not immediately possible, applications can work around the vulnerability by forcing connections to use HTTP/1.1 when talking to untrusted servers. The HTTP/1.1 parsing engine in Mint does not use the vulnerable multi-frame accumulation logic. This is achieved by passing the :protocols option explicitly.

# Workaround: Restrict connections to HTTP/1.1
Mint.HTTP.connect(:https, "untrusted-api.com", 443, protocols: [:http1])

Security teams can deploy intrusion detection system (IDS) rules at the network perimeter to identify sessions with abnormal ratio balances of HTTP/2 CONTINUATION frames. Additionally, reverse proxies or web application firewalls (WAFs) can be placed in front of client outbound traffic to enforce strict HTTP/2 frame validation.

Official Patches

elixir-mintCommit fixing unbounded header list accumulation by introducing size tracking parameters.

Fix Analysis (1)

Technical Appendix

CVSS Score
8.2/ 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Probability
0.38%
Top 70% most exploited

Affected Systems

Applications utilizing the Elixir Mint HTTP client library for outbound HTTP/2 connections.

Affected Versions Detail

Product
Affected Versions
Fixed Version
mint
elixir-mint
>= 0.1.0, < 1.9.01.9.0
AttributeDetail
CWE IDCWE-770
Attack VectorNetwork
CVSS v4.0 Score8.2 (High)
Exploit MaturityProof-of-Concept (PoC)
EPSS Score0.00384
CISA KEV StatusNot Listed

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
CWE-770
Allocation of Resources Without Limits or Throttling

The application allocates memory or other resources without checking or restricting the total size, allowing an attacker to exhaust system resources.

Known Exploits & Detection

GitHub Security AdvisoryOfficial replication details verified by Mint maintainers via integrated project unit tests, showing OOM crashes after approximately 64,000 continuous frames.

Vulnerability Timeline

Vulnerability identified and patch developed by maintainers
2026-06-02
Commit b662d127d3028b5426c88d4c9cc7fe430491a10b pushed to repository
2026-06-02
Security Advisory and CVE-2026-49754 published
2026-06-02

References & Sources

  • [1]GitHub Advisory: Allocation of Resources Without Limits or Throttling in elixir-mint
  • [2]Erlang Ecosystem Foundation Security Advisory
  • [3]Open Source Vulnerability Database Entry

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•35 minutes ago•CVE-2026-48861
2.1

CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.

Amit Schendel
Amit Schendel
2 views•7 min read
•about 1 hour ago•CVE-2026-49753
6.3

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 2 hours ago•CVE-2026-48596
2.1

CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client

CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.

Alon Barad
Alon Barad
4 views•6 min read
•about 3 hours ago•CVE-2026-48594
8.2

CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client

An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 3 hours ago•CVE-2026-48595
8.2

CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass

A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.

Alon Barad
Alon Barad
5 views•5 min read
•about 4 hours ago•CVE-2026-48597
8.2

CVE-2026-48597: Denial of Service via Atom Table Exhaustion in Elixir Tesla Client (Mint Adapter)

CVE-2026-48597 is a high-severity Denial of Service (DoS) vulnerability in the Elixir HTTP client library Tesla (specifically involving the Mint adapter) that allows an unauthenticated remote attacker to cause an unrecoverable crash of the Erlang Virtual Machine (BEAM). The flaw arises from the dynamic conversion of untrusted URL schemes into Erlang atoms without validation, leading to global atom table exhaustion.

Alon Barad
Alon Barad
4 views•8 min read