Denial-of-Service Vulnerability in Elixir-Mint HPAX Product by Elixir
CVE-2026-58226

8.7HIGH

Key Information:

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-58226?

The Elixir-mint hpax product is vulnerable to a denial-of-service condition caused by an inefficient algorithmic complexity in its handling of HPACK variable-length integers. This vulnerability allows an unauthenticated attacker to exploit the decoding process by sending a specially crafted HTTP/2 header block. The flaw occurs in the 'Elixir.HPAX.Types':decode_remaining_integer/3 function, which fails to impose a limit on the size of the integers being decoded or the number of continuation octets processed. This oversight results in excessive CPU and memory consumption, leading to potential service disruption during an attack. It is crucial for users of hpax versions prior to 1.0.4 to apply the necessary patches.

Affected Version(s)

hpax 0.1.1 < 1.0.4

hpax 56db437a7e2c515e3bdd770ac7947b02cd2390d0 < 1ba4bb2dc91e80089cf89c73970ac3ded76f17eb

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Peter Ullrich
Andrea Leopardi
Jonatan Männchen / EEF
Eric Meadows-Jönsson
.