CVE-2026-49754
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
02/06/2026
Last modified:
02/06/2026
Description
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood).<br />
<br />
When Mint&#39;s HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity).<br />
<br />
A malicious or compromised HTTP/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client&#39;s iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient.<br />
<br />
This issue affects mint: from 0.1.0 before 1.9.0.
Impact
Base Score 4.0
8.20
Severity 4.0
HIGH
References to Advisories, Solutions, and Tools
- https://cna.erlef.org/cves/CVE-2026-49754.html
- https://github.com/elixir-mint/mint/commit/b662d127d3028b5426c88d4c9cc7fe430491a10b
- https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8
- https://osv.dev/vulnerability/EEF-CVE-2026-49754
- https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8



