CVE-2026-58226
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
06/07/2026
Last modified:
06/07/2026
Description
Inefficient Algorithmic Complexity vulnerability in elixir-mint hpax allows unauthenticated denial-of-service via unbounded HPACK integer decoding.<br />
<br />
hpax decodes HPACK variable-length integers with no upper bound on the decoded value or the number of continuation octets. &#39;Elixir.HPAX.Types&#39;:decode_remaining_integer/3 accumulates the integer as int + (value
Impact
Base Score 4.0
8.70
Severity 4.0
HIGH
References to Advisories, Solutions, and Tools
- https://cna.erlef.org/cves/CVE-2026-58226.html
- https://github.com/elixir-mint/hpax/commit/1ba4bb2dc91e80089cf89c73970ac3ded76f17eb
- https://github.com/elixir-mint/hpax/security/advisories/GHSA-jj2p-32j7-whj2
- https://osv.dev/vulnerability/EEF-CVE-2026-58226
- https://github.com/elixir-mint/hpax/security/advisories/GHSA-jj2p-32j7-whj2



