Resource Exhaustion Vulnerability in Elixir-Mint Client
CVE-2026-49754

8.2HIGH

Key Information:

Vendor: Elixir-mint
Status: Mint
Vendor: CVE Published:; 2 June 2026

🔔 Create Elixir-mint Vulnerability Alert

What is CVE-2026-49754?

The Elixir-Mint client suffers from a vulnerability allowing attackers to exploit its HTTP/2 receive path. This flaw permits malicious HTTP/2 servers to send a continuous stream of CONTINUATION frames, which can lead to memory exhaustion in the client application. Since no limits are imposed on the size or quantity of incoming CONTINUATION frames, the attacker can cause significant disruption by effectively driving the client's memory usage to maximum capacity. This vulnerability can be exploited using just a single connection to an attacker-controlled HTTP/2 server, resulting in the failure of processes within the Erlang BEAM environment. Users of affected Mint versions should review security updates and consider implementing compensatory measures.

Affected Version(s)

mint 0.1.0 < 1.9.0

mint 596ca4304504be68939c4929e0831557097962b8

References

https://github.com/elixir-mint/mint/security/advisories/G...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-49754.html

https://osv.dev/vulnerability/EEF-CVE-2026-49754

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Jun 1, 2026

Credit

Peter Ullrich

Eric Meadows-Jönsson

Jonatan Männchen / EEF

CVE-2026-49754 Data

JSON