<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mint (&gt;= 0.2.0, &lt; 1.9.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/mint--0.2.0--1.9.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 23:21:09 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/mint--0.2.0--1.9.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>Mint HTTP/2 Client Unbounded Stream Map Growth Denial-of-Service (CVE-2026-48862)</title><link>https://feed.craftedsignal.io/briefs/2026-07-mint-dos/</link><pubDate>Thu, 09 Jul 2026 23:21:09 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-mint-dos/</guid><description>A malicious or compromised HTTP/2 server can exploit CVE-2026-48862 in Mint HTTP/2 clients by flooding them with PUSH_PROMISE frames and withholding corresponding HEADERS, leading to unbounded memory consumption and denial-of-service.</description><content:encoded><![CDATA[<p>Elixir-Mint HTTP/2 client versions 0.2.0 through 1.8.x are vulnerable to a remote, unauthenticated denial-of-service attack, identified as CVE-2026-48862. A hostile or compromised HTTP/2 server can leverage this vulnerability by sending an excessive number of <code>PUSH_PROMISE</code> frames without following up with the matching <code>HEADERS</code>. Mint's client, by default, accepts <code>PUSH_PROMISE</code> frames and inserts entries into an internal connection stream map without properly enforcing the <code>max_concurrent_streams</code> limit, causing the map to grow indefinitely. This unbounded growth leads to linear memory consumption within the client process, eventually resulting in an out-of-memory (OOM) crash and denying service. This vulnerability affects any application using Mint as an HTTP/2 client, especially those connecting to untrusted or attacker-influenced servers, such as web backends, webhook delivery systems, and proxy components.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A malicious or compromised HTTP/2 server establishes a long-lived HTTP/2 connection with a vulnerable Mint client.</li>
<li>The Mint client sends its initial request <code>HEADERS</code> for a specific odd stream ID.</li>
<li>The malicious server captures the client's request stream ID.</li>
<li>The malicious server then sends a rapid flood of <code>PUSH_PROMISE</code> frames, each associated with the client's request stream ID.</li>
<li>Each <code>PUSH_PROMISE</code> frame specifies a new, unique even stream ID and carries a minimal HPACK-encoded header block.</li>
<li>The Mint client processes each <code>PUSH_PROMISE</code> frame, adding a <code>:reserved_remote</code> entry into its <code>conn.streams</code> map for every promised stream ID without consulting <code>max_concurrent_streams</code>.</li>
<li>The malicious server intentionally withholds the corresponding response <code>HEADERS</code> for all the promised stream IDs.</li>
<li>As the <code>conn.streams</code> map grows linearly with each unfulfilled <code>PUSH_PROMISE</code> frame, the Mint client's process consumes an increasing amount of memory until it crashes due to an Out-Of-Memory (OOM) error.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-48862 results in a remote, unauthenticated denial-of-service against any process utilizing Mint as an HTTP/2 client when connecting to an untrusted or attacker-controlled server. Since HTTP/2 server push is enabled by default in Mint, no specific application opt-in is required for the vulnerability to be exploitable. Affected systems include outbound HTTP/2 clients in web backends, webhook delivery services, data scrapers, federated components, and proxy services that interact with external HTTP/2 origins. An attacker can crash the client process, rendering the service unavailable and potentially requiring manual intervention to restore.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade all affected Mint HTTP/2 clients to version 1.9.0 or newer immediately to mitigate CVE-2026-48862.</li>
<li>For systems that cannot be immediately upgraded, disable HTTP/2 server push on connections to untrusted servers by explicitly passing <code>client_settings: [enable_push: false]</code> to the <code>'Elixir.Mint.HTTP':connect/4</code> function as a workaround for CVE-2026-48862.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>http/2</category><category>elixir</category><category>client-side</category><category>vulnerability</category></item></channel></rss>