HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48862Published Modified CNA EEF

CVE-2026-48862: Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrency

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding. In lib/mint/http2.ex, Mint.HTTP2.decode_push_promise_headers_and_add_response/5 inserts a :reserved_remote entry into conn.streams for every promised stream ID. The neighbouring Mint.HTTP2.assert_valid_promised_stream_id/2 only verifies that the promised ID is even and not already present; client_settings.max_concurrent_streams is not consulted at promise time. The concurrency cap is only checked when the response HEADERS for the promised stream arrive, so a server that emits PUSH_PROMISE frames and withholds the matching HEADERS never trips that check. HTTP/2 server push is accepted by default (client_settings.enable_push defaults to true). A single long-lived HTTP/2 connection to a hostile server lets that server pin one conn.streams entry per PUSH_PROMISE frame it sends, with no upper bound, until the client process runs out of memory. This issue affects mint: from 0.2.0 before 1.9.0.

Metrics

CVSS v4.0
8.2
Severity
HIGH
Fixed in
1.9.0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an allocation-without-limits vulnerability in the Mint HTTP/2 client library for Elixir. An attacker-controlled HTTP/2 server can flood a connecting Mint client with PUSH_PROMISE frames, each of which adds an unbounded entry to the client's in-memory stream table, because the client never enforces its max_concurrent_streams cap at promise time. Successful exploitation exhausts the heap of the Elixir process running the Mint client, causing a denial of service. A patched-image rebuild at version 1.9.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Elixir images that bundle the Mint library. Any image containing mint versions 0.2.0 through 1.8.x will surface as affected.

Available
Triage

HarborGuard scores this finding at CVSS 8.2 HIGH and is capable of weighting it against each environment's compliance policy to determine urgency tier. Triage routing to the appropriate team inbox within a customer org is available automatically based on registry ownership and policy configuration.

Available
Patch

A patched-image rebuild pinned to mint 1.9.0 (commit 70b97b6a) is available on HarborGuard for any image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must operate or control an HTTP/2 server that the target Mint client connects to over the network; the exploit is delivered through that server-to-client connection.

  • AuthenticationNot required

    No authentication or credentials are needed; any Mint client that opens a connection to the hostile server is immediately exposed.

  • Victim interactionNot required

    No user action beyond the existing HTTP/2 connection is needed; the server can flood PUSH_PROMISE frames as soon as the connection is established.

  • Attack complexityDetail

    The exploit is straightforward and condition-free once a connection exists, though the CVSS vector notes an attack-requirements token (AT:P), indicating the attacker must be in a position to operate or intercept as the target's HTTP/2 server.

Blast Radius

  • The Elixir process running the Mint client exhausts available heap memory as the conn.streams map grows without bound.
  • The affected client process crashes or becomes unresponsive, severing any in-flight HTTP/2 requests it was handling.
  • If the Mint client is part of a connection pool or a long-running service, the crash can take down that service process, disrupting downstream application functionality for as long as the process remains down.

How HarborGuard Handles This

Available on HarborGuard: images containing mint versions 0.2.0 through 1.8.x are flagged automatically upon ingestion. A rebuild against the fixed release (1.9.0, commit 70b97b6a) is available for affected images; for customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a PR against affected workloads. For high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Until the rebuild is applied, customers can reduce exposure by applying network policy to restrict which servers Mint clients are permitted to connect to, ensuring outbound HTTP/2 connections are limited to trusted upstream services only. HarborGuard will re-evaluate advisory status on every ingest cycle and surface any further upstream changes to the fix.

See how HarborGuard automates this

Fix available

1.9.070b97b6a5209fb288b0e04d8e657dda26c59de67
Patch commits
Affected packages
  • elixir-mint / mint
    < 1.9.0 (from 0.2.0)
  • elixir-mint / mint
    < 70b97b6a5209fb288b0e04d8e657dda26c59de67 (from 65c6394d05a1b8aa4a7461708c3aa173e8d7a5cf)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References