Resource Exhaustion Vulnerability in Elixir Mint by Elixir
CVE-2026-58229
8.2HIGH
What is CVE-2026-58229?
A vulnerability in Elixir Mint allows a remote HTTP server to exhaust memory resources on the client host, potentially causing a denial of service. Due to the design of the Mint.HTTP1.decode_headers/5 and Mint.HTTP1.decode_trailer_headers/4 functions, the headers and trailer fields are accumulated without any limit. This flaw enables attackers to send an unlimited number of headers across TCP segments, ultimately overwhelming the memory until the application is terminated by the operating system's out-of-memory handler. This issue affects all Mint versions from 0.1.0 to below 1.9.2.
Affected Version(s)
mint 0.1.0 < 1.9.2
mint 3e6de4bac4821b0eb4d6109e8b1f3fb6458792c8 < 566d702e6f29105f77522ca7aabb9f64f2f4e333
References
CVSS V4
Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
zx (Jace)
Andrea Leopardi
Eric Meadows-Jönsson
Jonatan Männchen / EEF
