{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/elixir-mint/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-49754"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Mint (\u003c 1.9.0)"],"_cs_severities":["medium"],"_cs_tags":["http/2","denial-of-service","vulnerability","elixir","mint"],"_cs_type":"advisory","_cs_vendors":["Elixir Mint"],"content_html":"\u003cp\u003eThe Elixir Mint HTTP/2 client is vulnerable to a denial-of-service attack (CVE-2026-49754) due to an unbounded accumulation of \u003ccode\u003eCONTINUATION\u003c/code\u003e header-block fragments. This vulnerability, disclosed by GHSA, allows a malicious or compromised HTTP/2 server to exhaust the client's memory. By streaming an endless sequence of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames following an initial \u003ccode\u003eHEADERS\u003c/code\u003e frame that lacks the \u003ccode\u003eEND_HEADERS\u003c/code\u003e flag, an attacker can drive the client's process memory to arbitrary size. This flaw affects Mint versions prior to 1.9.0 and requires no specific client-side configuration, making the default Mint client susceptible. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient to trigger memory exhaustion and ultimately crash the BEAM process, resulting in a remote, unauthenticated denial-of-service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA victim application using the Elixir Mint HTTP/2 client establishes an HTTP/2 connection to a server.\u003c/li\u003e\n\u003cli\u003eThe client sends an HTTP/2 \u003ccode\u003eHEADERS\u003c/code\u003e frame as part of a request to the server.\u003c/li\u003e\n\u003cli\u003eAn attacker-controlled or compromised HTTP/2 server receives the client's request.\u003c/li\u003e\n\u003cli\u003eThe malicious server responds to the client's request by sending a \u003ccode\u003eHEADERS\u003c/code\u003e frame on stream 1, deliberately setting \u003ccode\u003eflags = 0\u003c/code\u003e (omitting \u003ccode\u003eEND_HEADERS\u003c/code\u003e and \u003ccode\u003eEND_STREAM\u003c/code\u003e) and including an empty header-block fragment.\u003c/li\u003e\n\u003cli\u003eThe malicious server then continuously streams \u003ccode\u003eCONTINUATION\u003c/code\u003e frames on stream 1, each with \u003ccode\u003eflags = 0\u003c/code\u003e and a payload up to the peer-advertised \u003ccode\u003eSETTINGS_MAX_FRAME_SIZE\u003c/code\u003e, never setting \u003ccode\u003eEND_HEADERS\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Mint client's HTTP/2 receive path, specifically the \u003ccode\u003e'Elixir.Mint.HTTP2':handle_continuation/3\u003c/code\u003e function, continuously appends these \u003ccode\u003eCONTINUATION\u003c/code\u003e fragments to the \u003ccode\u003econn.headers_being_processed\u003c/code\u003e buffer.\u003c/li\u003e\n\u003cli\u003eDue to the absence of per-stream size caps or \u003ccode\u003eCONTINUATION\u003c/code\u003e frame-count caps, the client's process memory grows linearly and uncontrollably with the incoming flood of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames.\u003c/li\u003e\n\u003cli\u003eThe unbounded memory growth eventually leads to memory exhaustion and an Out-Of-Memory (OOM) error, causing the entire Elixir BEAM process running the Mint client to crash, resulting in a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-49754 results in a remote, unauthenticated denial-of-service against any application utilizing the Elixir Mint HTTP/2 client to connect to an untrusted or attacker-influenced server. A single connection is sufficient for an attacker to drive the client's memory to an arbitrary size, leading to the crash of the underlying BEAM process. This can incapacitate critical services or applications relying on Mint for HTTP/2 communication, causing significant operational disruption and data unavailability. The default Mint configuration is vulnerable, requiring no specific client-side opt-in for exploitation. The vulnerability has been scored CVSS v4.0 8.2 (HIGH).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Elixir Mint library to version 1.9.0 or later to patch CVE-2026-49754.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not possible, restrict Mint to HTTP/1 for connections to untrusted servers by passing \u003ccode\u003eprotocols: [:http1]\u003c/code\u003e to \u003ccode\u003e'Elixir.Mint.HTTP':connect/4\u003c/code\u003e to avoid the vulnerable HTTP/2 receive path, as outlined in the workarounds.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T23:21:55Z","date_published":"2026-07-09T23:21:55Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mint-http2-continuation-flood/","summary":"A malicious or compromised HTTP/2 server can exploit CVE-2026-49754 in the Elixir Mint HTTP/2 client by sending an endless chain of CONTINUATION frames without an END_HEADERS flag, leading to unbounded memory accumulation, process exhaustion, and remote unauthenticated denial-of-service.","title":"Mint HTTP/2 Client Vulnerable to Unbounded CONTINUATION Frame Accumulation (CVE-2026-49754)","url":"https://feed.craftedsignal.io/briefs/2026-07-mint-http2-continuation-flood/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-48862"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Mint (\u003e= 0.2.0, \u003c 1.9.0)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","http/2","elixir","client-side","vulnerability"],"_cs_type":"advisory","_cs_vendors":["elixir-mint"],"content_html":"\u003cp\u003eElixir-Mint HTTP/2 client versions 0.2.0 through 1.8.x are vulnerable to a remote, unauthenticated denial-of-service attack, identified as CVE-2026-48862. A hostile or compromised HTTP/2 server can leverage this vulnerability by sending an excessive number of \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frames without following up with the matching \u003ccode\u003eHEADERS\u003c/code\u003e. Mint's client, by default, accepts \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frames and inserts entries into an internal connection stream map without properly enforcing the \u003ccode\u003emax_concurrent_streams\u003c/code\u003e limit, causing the map to grow indefinitely. This unbounded growth leads to linear memory consumption within the client process, eventually resulting in an out-of-memory (OOM) crash and denying service. This vulnerability affects any application using Mint as an HTTP/2 client, especially those connecting to untrusted or attacker-influenced servers, such as web backends, webhook delivery systems, and proxy components.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious or compromised HTTP/2 server establishes a long-lived HTTP/2 connection with a vulnerable Mint client.\u003c/li\u003e\n\u003cli\u003eThe Mint client sends its initial request \u003ccode\u003eHEADERS\u003c/code\u003e for a specific odd stream ID.\u003c/li\u003e\n\u003cli\u003eThe malicious server captures the client's request stream ID.\u003c/li\u003e\n\u003cli\u003eThe malicious server then sends a rapid flood of \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frames, each associated with the client's request stream ID.\u003c/li\u003e\n\u003cli\u003eEach \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frame specifies a new, unique even stream ID and carries a minimal HPACK-encoded header block.\u003c/li\u003e\n\u003cli\u003eThe Mint client processes each \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frame, adding a \u003ccode\u003e:reserved_remote\u003c/code\u003e entry into its \u003ccode\u003econn.streams\u003c/code\u003e map for every promised stream ID without consulting \u003ccode\u003emax_concurrent_streams\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious server intentionally withholds the corresponding response \u003ccode\u003eHEADERS\u003c/code\u003e for all the promised stream IDs.\u003c/li\u003e\n\u003cli\u003eAs the \u003ccode\u003econn.streams\u003c/code\u003e map grows linearly with each unfulfilled \u003ccode\u003ePUSH_PROMISE\u003c/code\u003e frame, the Mint client's process consumes an increasing amount of memory until it crashes due to an Out-Of-Memory (OOM) error.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-48862 results in a remote, unauthenticated denial-of-service against any process utilizing Mint as an HTTP/2 client when connecting to an untrusted or attacker-controlled server. Since HTTP/2 server push is enabled by default in Mint, no specific application opt-in is required for the vulnerability to be exploitable. Affected systems include outbound HTTP/2 clients in web backends, webhook delivery services, data scrapers, federated components, and proxy services that interact with external HTTP/2 origins. An attacker can crash the client process, rendering the service unavailable and potentially requiring manual intervention to restore.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all affected Mint HTTP/2 clients to version 1.9.0 or newer immediately to mitigate CVE-2026-48862.\u003c/li\u003e\n\u003cli\u003eFor systems that cannot be immediately upgraded, disable HTTP/2 server push on connections to untrusted servers by explicitly passing \u003ccode\u003eclient_settings: [enable_push: false]\u003c/code\u003e to the \u003ccode\u003e'Elixir.Mint.HTTP':connect/4\u003c/code\u003e function as a workaround for CVE-2026-48862.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T23:21:09Z","date_published":"2026-07-09T23:21:09Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mint-dos/","summary":"A malicious or compromised HTTP/2 server can exploit CVE-2026-48862 in Mint HTTP/2 clients by flooding them with PUSH_PROMISE frames and withholding corresponding HEADERS, leading to unbounded memory consumption and denial-of-service.","title":"Mint HTTP/2 Client Unbounded Stream Map Growth Denial-of-Service (CVE-2026-48862)","url":"https://feed.craftedsignal.io/briefs/2026-07-mint-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Elixir Mint","version":"https://jsonfeed.org/version/1.1"}