{"uuid": "9ab3bf01-2f49-4fa1-873d-d968a9e7a25d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48862", "type": "seen", "source": "https://gist.github.com/alon710/be308f55a57246cb8ce657d04b30b2e9", "content": "# CVE-2026-48862: CVE-2026-48862: Unbounded Resource Allocation via HTTP/2 PUSH_PROMISE Flooding in Mint\n\n&gt; **CVSS Score:** 8.2\n&gt; **Published:** 2026-07-09\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48862\n\n## Summary\nAn allocation of resources without limits or throttling vulnerability in the Elixir Mint HTTP client library allows malicious HTTP/2 servers to trigger memory exhaustion and application denial of service. The flaw exists because Mint fails to validate server-push concurrency limits during the receipt of PUSH_PROMISE frames, deferring validation to the HEADERS phase. This allows a server to reserve an unlimited number of streams in the client's memory map.\n\n## TL;DR\nA flaw in Elixir's Mint HTTP client allows hostile HTTP/2 servers to exhaust client memory by flooding PUSH_PROMISE frames without sending headers. This triggers unbounded state allocation in the Erlang VM and crashes the client.\n\n## Technical Details\n\n- **CWE ID**: CWE-770 (Allocation of Resources Without Limits or Throttling)\n- **Attack Vector**: Network\n- **CVSS Score**: 8.2 (High)\n- **EPSS Score**: 0.00384 (30.40th percentile)\n- **Impact**: Denial of Service (Memory Exhaustion / Crash)\n- **Exploit Status**: none (No public weaponized exploits)\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Mint HTTP Client (Elixir)\n- **mint**: &gt;= 0.2.0, &lt; 1.9.0 (Fixed in: `1.9.0`)\n\n## Mitigation\n\n- Disable HTTP/2 Server Push explicitly in connection parameters when connecting to untrusted third-party endpoints.\n- Upgrade the Mint dependency in Hex to version 1.9.0 or higher.\n- Implement process-level memory limits within the Erlang VM to prevent single-process leaks from crashing the entire virtual machine.\n\n**Remediation Steps:**\n1. Open the mix.exs file in the Elixir project.\n2. Locate the :mint dependency definition and update the version string to '&gt;= 1.9.0'.\n3. Run the command 'mix deps.get' to fetch and compile the updated library.\n4. Verify the update by confirming that 'mix.lock' references version 1.9.0 or later.\n5. Redeploy the application to production.\n\n## References\n\n- [GitHub Security Advisory: GHSA-g586-ccqf-7x4r](https://github.com/elixir-mint/mint/security/advisories/GHSA-g586-ccqf-7x4r)\n- [Official Patch Commit](https://github.com/elixir-mint/mint/commit/70b97b6a5209fb288b0e04d8e657dda26c59de67)\n- [Erlang Ecosystem Foundation Advisory](https://cna.erlef.org/cves/CVE-2026-48862.html)\n- [OSV Database Entry](https://osv.dev/vulnerability/EEF-CVE-2026-48862)\n- [NVD Details Page](https://nvd.nist.gov/vuln/detail/CVE-2026-48862)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48862) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-09T23:42:44.317323Z"}