{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mint--0.2.0--1.9.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-48862"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Mint (\u003e= 0.2.0, \u003c 1.9.0)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","http/2","elixir","client-side","vulnerability"],"_cs_type":"advisory","_cs_vendors":["elixir-mint"],"content_html":"\u003cp\u003eElixir-Mint HTTP/2 client versions 0.2.0 through 1.8.x are vulnerable to a remote, unauthenticated denial-of-service attack, identified as CVE-2026-48862. A hostile or compromised HTTP/2 server can leverage this vulnerability by sending an excessive number of \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frames without following up with the matching \u003ccode\u003eHEADERS\u003c/code\u003e. Mint's client, by default, accepts \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frames and inserts entries into an internal connection stream map without properly enforcing the \u003ccode\u003emax_concurrent_streams\u003c/code\u003e limit, causing the map to grow indefinitely. This unbounded growth leads to linear memory consumption within the client process, eventually resulting in an out-of-memory (OOM) crash and denying service. This vulnerability affects any application using Mint as an HTTP/2 client, especially those connecting to untrusted or attacker-influenced servers, such as web backends, webhook delivery systems, and proxy components.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious or compromised HTTP/2 server establishes a long-lived HTTP/2 connection with a vulnerable Mint client.\u003c/li\u003e\n\u003cli\u003eThe Mint client sends its initial request \u003ccode\u003eHEADERS\u003c/code\u003e for a specific odd stream ID.\u003c/li\u003e\n\u003cli\u003eThe malicious server captures the client's request stream ID.\u003c/li\u003e\n\u003cli\u003eThe malicious server then sends a rapid flood of \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frames, each associated with the client's request stream ID.\u003c/li\u003e\n\u003cli\u003eEach \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frame specifies a new, unique even stream ID and carries a minimal HPACK-encoded header block.\u003c/li\u003e\n\u003cli\u003eThe Mint client processes each \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frame, adding a \u003ccode\u003e:reserved_remote\u003c/code\u003e entry into its \u003ccode\u003econn.streams\u003c/code\u003e map for every promised stream ID without consulting \u003ccode\u003emax_concurrent_streams\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious server intentionally withholds the corresponding response \u003ccode\u003eHEADERS\u003c/code\u003e for all the promised stream IDs.\u003c/li\u003e\n\u003cli\u003eAs the \u003ccode\u003econn.streams\u003c/code\u003e map grows linearly with each unfulfilled \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frame, the Mint client's process consumes an increasing amount of memory until it crashes due to an Out-Of-Memory (OOM) error.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-48862 results in a remote, unauthenticated denial-of-service against any process utilizing Mint as an HTTP/2 client when connecting to an untrusted or attacker-controlled server. Since HTTP/2 server push is enabled by default in Mint, no specific application opt-in is required for the vulnerability to be exploitable. Affected systems include outbound HTTP/2 clients in web backends, webhook delivery services, data scrapers, federated components, and proxy services that interact with external HTTP/2 origins. An attacker can crash the client process, rendering the service unavailable and potentially requiring manual intervention to restore.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all affected Mint HTTP/2 clients to version 1.9.0 or newer immediately to mitigate CVE-2026-48862.\u003c/li\u003e\n\u003cli\u003eFor systems that cannot be immediately upgraded, disable HTTP/2 server push on connections to untrusted servers by explicitly passing \u003ccode\u003eclient_settings: [enable_push: false]\u003c/code\u003e to the \u003ccode\u003e'Elixir.Mint.HTTP':connect/4\u003c/code\u003e function as a workaround for CVE-2026-48862.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T23:21:09Z","date_published":"2026-07-09T23:21:09Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mint-dos/","summary":"A malicious or compromised HTTP/2 server can exploit CVE-2026-48862 in Mint HTTP/2 clients by flooding them with PUSH_PROMISE frames and withholding corresponding HEADERS, leading to unbounded memory consumption and denial-of-service.","title":"Mint HTTP/2 Client Unbounded Stream Map Growth Denial-of-Service (CVE-2026-48862)","url":"https://feed.craftedsignal.io/briefs/2026-07-mint-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Mint (\u003e= 0.2.0, \u003c 1.9.0)","version":"https://jsonfeed.org/version/1.1"}