Resource Exhaustion Vulnerability in Mint by Elixir
CVE-2026-48862

8.2HIGH

Key Information:

Vendor: Elixir-mint
Status: Mint
Vendor: CVE Published:; 2 June 2026

🔔 Create Elixir-mint Vulnerability Alert

What is CVE-2026-48862?

A resource exhaustion vulnerability in Mint allows attacker-controlled HTTP/2 servers to deplete memory resources in a Mint client through excessive PUSH_PROMISE flooding. The vulnerability arises from the way the Mint client manages promised stream IDs, which are added to the connection without proper checks against the configured maximum concurrent streams. This oversight enables malicious servers to pin an uncontrolled number of stream entries, potentially leading to memory exhaustion as promised streams continue to accumulate without limits. Although client_settings.max_concurrent_streams is checked at a later stage, the absence of verification at the initial promise stage opens a critical window for exploitation, particularly when connected to a hostile HTTP/2 server.

Affected Version(s)

mint 0.2.0 < 1.9.0

mint 65c6394d05a1b8aa4a7461708c3aa173e8d7a5cf < 70b97b6a5209fb288b0e04d8e657dda26c59de67

References

https://github.com/elixir-mint/mint/security/advisories/G...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-48862.html

https://osv.dev/vulnerability/EEF-CVE-2026-48862

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
May 25, 2026

Credit

Peter Ullrich

Eric Meadows-Jönsson

Jonatan Männchen / EEF

CVE-2026-48862 Data

JSON