HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-49754Published Modified CNA EEF

CVE-2026-49754: HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood). When Mint's HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity). A malicious or compromised HTTP/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client's iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient. This issue affects mint: from 0.1.0 before 1.9.0.

Metrics

CVSS v4.0
8.2
Severity
HIGH
Fixed in
1.9.0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unbounded resource allocation vulnerability in the Elixir Mint HTTP client library allows a malicious or compromised HTTP/2 server to exhaust memory in the connecting client process. The attack is reachable over the network with no authentication required: any Mint client that opens an HTTP/2 connection to an attacker-controlled endpoint is exposed. Successful exploitation crashes the BEAM process handling the connection, causing a denial of service. A patched-image rebuild at version 1.9.0 is available on HarborGuard for environments running an affected version of Mint.

HarborGuard Coverage

Detection

Detection of CVE-2026-49754 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including EEF. Coverage extends to custom-built images that bundle affected versions of the Mint library (0.1.0 through 1.8.x).

Available
Triage

HarborGuard triage capability applies the CVSS v4.0 score of 8.2 (HIGH) to every matched image and weights findings against each customer environment's configured compliance policy. Routed findings are directed to the appropriate team inbox within the customer organization based on image ownership and policy assignments.

Available
Patch

A patched-image rebuild pinned to Mint 1.9.0 (commit b662d127d3028b5426c88d4c9cc7fe430491a10b) becomes available on HarborGuard the moment the fix version is confirmed against an affected image. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must operate or control an HTTP/2 server that the Mint client connects to over the network; no local access to the client host is needed.

  • AuthenticationNot required

    No credentials or account are required; any Mint client that opens a connection to the malicious endpoint is sufficient to trigger the attack.

  • Victim interactionNot required

    No user action is needed beyond the application initiating an HTTP/2 connection, which may happen autonomously as part of normal service operation.

  • Attack complexityDetail

    The exploit is reliable under most conditions, though the CVSS AT:P token notes that a specific precondition applies: the client must establish a connection to an attacker-controlled HTTP/2 endpoint, which depends on application behavior or DNS/routing manipulation.

Blast Radius

  • The BEAM process managing the affected HTTP/2 connection is killed due to memory exhaustion.
  • Any in-flight requests on that connection are lost and responses are never delivered to the application.
  • Depending on supervision strategy, repeated connection attempts to the same malicious endpoint can keep crashing worker processes, degrading or halting the consuming service.
  • No confidentiality or data integrity impact is indicated; the attacker gains only the ability to crash the client-side connection process.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE fires within minutes of advisory ingestion for any image containing Mint versions 0.1.0 through 1.8.x, including privately built images. Where a patched image rebuild is feasible, HarborGuard makes a rebuild at Mint 1.9.0 available upon confirmation of the affected version. For customers with auto-remediation enabled, the pipeline performs the rebuild, executes regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation active. Where auto-remediation is not permitted by compliance policy, HarborGuard surfaces the finding with CVSS 8.2 severity and recommended remediation steps. As a compensating control until patching is complete, consider applying egress network policy to restrict outbound HTTP/2 connections to only trusted, known-good server endpoints, reducing the application's exposure to attacker-controlled HTTP/2 infrastructure.

See how HarborGuard automates this

Fix available

1.9.0b662d127d3028b5426c88d4c9cc7fe430491a10b
Patch commits
Affected packages
  • elixir-mint / mint
    < 1.9.0 (from 0.1.0)
  • elixir-mint / mint
    < b662d127d3028b5426c88d4c9cc7fe430491a10b (from 596ca4304504be68939c4929e0831557097962b8)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References