Denial-of-Service Vulnerability in Elixir-Mint HPAX Product by Elixir
CVE-2026-58226
What is CVE-2026-58226?
The Elixir-mint hpax product is vulnerable to a denial-of-service condition caused by an inefficient algorithmic complexity in its handling of HPACK variable-length integers. This vulnerability allows an unauthenticated attacker to exploit the decoding process by sending a specially crafted HTTP/2 header block. The flaw occurs in the 'Elixir.HPAX.Types':decode_remaining_integer/3 function, which fails to impose a limit on the size of the integers being decoded or the number of continuation octets processed. This oversight results in excessive CPU and memory consumption, leading to potential service disruption during an attack. It is crucial for users of hpax versions prior to 1.0.4 to apply the necessary patches.
Affected Version(s)
hpax 0.1.1 < 1.0.4
hpax 56db437a7e2c515e3bdd770ac7947b02cd2390d0 < 1ba4bb2dc91e80089cf89c73970ac3ded76f17eb
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved
