Denial of Service Vulnerability in elixir-mint HTTP Module Affects Multiple Versions
CVE-2026-56810

8.7HIGH

Key Information:

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-56810?

The elixir-mint library's Mint.HTTP1 module is prone to a denial of service vulnerability due to unbounded allocation of memory when processing oversized chunked transfer-encoded HTTP responses. An attacker can exploit this flaw by sending an improperly sized chunk response, causing the client to accumulate data in memory without ever completing, potentially leading to an out-of-memory condition. The problem arises from how the library decodes and buffers response data based on server-provided information, which can be manipulated by an unauthenticated remote server. This vulnerability affects versions of mint from 0.5.0 up to but not including 1.9.1.

Affected Version(s)

mint 0.5.0 < 1.9.1

mint c575d819d39ebf7e9b77ec24584a5ffbb11c844e < 193ce714907d16e8adc4ab3c40e4f0c2f045b2a6

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Peter Ullrich
Andrea Leopardi
Jonatan Männchen / EEF
Eric Meadows-Jönsson
.