{“lastseen”:””,”description”:”Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP\/2 servers to exhaust memory in a Mint client (HTTP\/2 CONTINUATION flood).\\n\\nWhen Mint’s HTTP\/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity).\\n\\nA malicious or compromised HTTP\/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client’s iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP\/2 endpoint is sufficient.\\n\\nThis issue affects mint: from 0.1.0 before 1.9.0.”,”published”:”2026-06-02T14:15:14.951Z”,”modified”:”2026-06-02T14:15:14.951Z”,”type”:”cve”,”title”:”HTTP\/2 CONTINUATION flood in Mint client via unbounded header-block accumulation”,”source”:”EEF”,”references”:”https:\/\/github.com\/elixir-mint\/mint\/security\/advisories\/GHSA-2p26-p43x-fhp8\\nhttps:\/\/cna.erlef.org\/cves\/CVE-2026-49754.html\\nhttps:\/\/osv.dev\/vulnerability\/EEF-CVE-2026-49754\\nhttps:\/\/github.com\/elixir-mint\/mint\/commit\/b662d127d3028b5426c88d4c9cc7fe430491a10b”,”id”:”CVE-2026-49754″,”bulletinFamily”:””,”cwe”:[“CWE-770″],”cvelist”:null,”sourceData”:”elixir-mint mint 0.1.0\\nelixir-mint mint 596ca4304504be68939c4929e0831557097962b8″,”sourceHref”:””,”cvss”:{“score”:8.2,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:N\/VC:N\/VI:N\/VA:H\/SC:N\/SI:N\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”mint”,”version”:”0.1.0″,”vendor”:”elixir-mint”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP\/2 servers to exhaust memory in a Mint client (HTTP\/2 CONTINUATION flood).\\n\\nWhen…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,77,12,15,13,7,11,5],"class_list":["post-59243","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-82","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n