<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mint - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/mint/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 23:21:55 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/mint/feed.xml" rel="self" type="application/rss+xml"/><item><title>Mint HTTP/2 Client Vulnerable to Unbounded CONTINUATION Frame Accumulation (CVE-2026-49754)</title><link>https://feed.craftedsignal.io/briefs/2026-07-mint-http2-continuation-flood/</link><pubDate>Thu, 09 Jul 2026 23:21:55 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-mint-http2-continuation-flood/</guid><description>A malicious or compromised HTTP/2 server can exploit CVE-2026-49754 in the Elixir Mint HTTP/2 client by sending an endless chain of CONTINUATION frames without an END_HEADERS flag, leading to unbounded memory accumulation, process exhaustion, and remote unauthenticated denial-of-service.</description><content:encoded><![CDATA[<p>The Elixir Mint HTTP/2 client is vulnerable to a denial-of-service attack (CVE-2026-49754) due to an unbounded accumulation of <code>CONTINUATION</code> header-block fragments. This vulnerability, disclosed by GHSA, allows a malicious or compromised HTTP/2 server to exhaust the client's memory. By streaming an endless sequence of <code>CONTINUATION</code> frames following an initial <code>HEADERS</code> frame that lacks the <code>END_HEADERS</code> flag, an attacker can drive the client's process memory to arbitrary size. This flaw affects Mint versions prior to 1.9.0 and requires no specific client-side configuration, making the default Mint client susceptible. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient to trigger memory exhaustion and ultimately crash the BEAM process, resulting in a remote, unauthenticated denial-of-service.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A victim application using the Elixir Mint HTTP/2 client establishes an HTTP/2 connection to a server.</li>
<li>The client sends an HTTP/2 <code>HEADERS</code> frame as part of a request to the server.</li>
<li>An attacker-controlled or compromised HTTP/2 server receives the client's request.</li>
<li>The malicious server responds to the client's request by sending a <code>HEADERS</code> frame on stream 1, deliberately setting <code>flags = 0</code> (omitting <code>END_HEADERS</code> and <code>END_STREAM</code>) and including an empty header-block fragment.</li>
<li>The malicious server then continuously streams <code>CONTINUATION</code> frames on stream 1, each with <code>flags = 0</code> and a payload up to the peer-advertised <code>SETTINGS_MAX_FRAME_SIZE</code>, never setting <code>END_HEADERS</code>.</li>
<li>The Mint client's HTTP/2 receive path, specifically the <code>'Elixir.Mint.HTTP2':handle_continuation/3</code> function, continuously appends these <code>CONTINUATION</code> fragments to the <code>conn.headers_being_processed</code> buffer.</li>
<li>Due to the absence of per-stream size caps or <code>CONTINUATION</code> frame-count caps, the client's process memory grows linearly and uncontrollably with the incoming flood of <code>CONTINUATION</code> frames.</li>
<li>The unbounded memory growth eventually leads to memory exhaustion and an Out-Of-Memory (OOM) error, causing the entire Elixir BEAM process running the Mint client to crash, resulting in a denial-of-service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-49754 results in a remote, unauthenticated denial-of-service against any application utilizing the Elixir Mint HTTP/2 client to connect to an untrusted or attacker-influenced server. A single connection is sufficient for an attacker to drive the client's memory to an arbitrary size, leading to the crash of the underlying BEAM process. This can incapacitate critical services or applications relying on Mint for HTTP/2 communication, causing significant operational disruption and data unavailability. The default Mint configuration is vulnerable, requiring no specific client-side opt-in for exploitation. The vulnerability has been scored CVSS v4.0 8.2 (HIGH).</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the Elixir Mint library to version 1.9.0 or later to patch CVE-2026-49754.</li>
<li>If immediate patching is not possible, restrict Mint to HTTP/1 for connections to untrusted servers by passing <code>protocols: [:http1]</code> to <code>'Elixir.Mint.HTTP':connect/4</code> to avoid the vulnerable HTTP/2 receive path, as outlined in the workarounds.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>http/2</category><category>denial-of-service</category><category>vulnerability</category><category>elixir</category><category>mint</category></item></channel></rss>