CVE-2026-48862— Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrency
Possible ATT&CK Techniques 1AI
T1496 · Resource HijackingAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| elixir-mint | mint | 0.2.0< 1.9.0 | affected |
65c6394d05a1b8aa4a7461708c3aa173e8d7a5cf< 70b97b6a5209fb288b0e04d8e657dda26c59de67 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48862
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrency
Source: NVD (National Vulnerability Database)
Vulnerability Description
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding. In lib/mint/http2.ex, Mint.HTTP2.decode_push_promise_headers_and_add_response/5 inserts a :reserved_remote entry into conn.streams for every promised stream ID. The neighbouring Mint.HTTP2.assert_valid_promised_stream_id/2 only verifies that the promised ID is even and not already present; client_settings.max_concurrent_streams is not consulted at promise time. The concurrency cap is only checked when the response HEADERS for the promised stream arrive, so a server that emits PUSH_PROMISE frames and withholds the matching HEADERS never trips that check. HTTP/2 server push is accepted by default (client_settings.enable_push defaults to true). A single long-lived HTTP/2 connection to a hostile server lets that server pin one conn.streams entry per PUSH_PROMISE frame it sends, with no upper bound, until the client process runs out of memory. This issue affects mint: from 0.2.0 before 1.9.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| elixir-mint | mint | 0.2.0 ~ 1.9.0 | cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* | |
| elixir-mint | mint | 65c6394d05a1b8aa4a7461708c3aa173e8d7a5cf ~ 70b97b6a5209fb288b0e04d8e657dda26c59de67 | cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
II. Public POCs for CVE-2026-48862
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48862
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-48862 (1)
Vendor Advisories for CVE-2026-48862 (3)
Same Patch Batch · elixir-mint · 2026-06-02 · 4 CVEs total
| CVE-2026-48861 | CRLF injection in HTTP/1 request line via unvalidated method in Mint | |
| CVE-2026-49753 | HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing | |
| CVE-2026-49754 | HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation |
IV. Related Vulnerabilities
Same weakness: CWE-770
- CVE-2026-28299
SolarWinds Web Help Desk Denial-of-Service Vulnerability - CVE-2026-48597
Atom table exhaustion via untrusted URL scheme in Tesla.Adap - CVE-2026-34077
React Router vulnerable to Denial of Service via reflected u - CVE-2026-49754
HTTP/2 CONTINUATION flood in Mint client via unbounded heade - CVE-2026-49140
Nanobot < 0.2.1 Denial of Service via Matrix Media Download
V. Comments for CVE-2026-48862
No comments yet