CVE-2026-49754 – HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation

CVE ID :CVE-2026-49754

Published : June 2, 2026, 4:16 p.m. | 16 minutes ago

Description :Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood).

When Mint’s HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity).

A malicious or compromised HTTP/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client’s iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient.

This issue affects mint: from 0.1.0 before 1.9.0.

Severity: 8.2 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-49943 – CZ.NIC BIRD Internet Routing Daemon Stack-Based Buffer Overflow

CVE-2026-42074 – OpenClaude: Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input

CVE-2026-42073 – OpenClaude’s MCP OAuth Callback: State Check Bypass via error Param Leads to DoS

CVE-2026-40715 – Dell ThinOS Improper Access Control Privilege Escalation