PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58229 elixir-mint CVE debrief

A vulnerability in elixir-mint mint allows a remote HTTP server to exhaust memory on the client host and cause a denial of service. The Mint.HTTP1.decode_headers/5 and Mint.HTTP1.decode_trailer_headers/4 functions accumulate every parsed response header and chunked-trailer field into a per-request list that persists across incoming TCP segments as request.headers_buffer, and only clear it when the terminating blank line is received. This issue affects mint: from 0.1.0 before 1.9.2. Users of elixir-mint mint, especially those using it as an HTTP client in their applications, should be aware of this vulnerability and take necessary actions to protect themselves.

Vendor
elixir-mint
Product
mint
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-14
Advisory published
2026-07-14
Advisory updated
2026-07-14

Who should care

Users of elixir-mint mint, especially those using it as an HTTP client in their applications, should be aware of this vulnerability and take necessary actions to protect themselves. This includes updating elixir-mint mint to version 1.9.2 or later, monitoring for suspicious HTTP traffic, and implementing memory limits and monitoring for BEAM nodes.

Technical summary

The Mint.HTTP1.decode_headers/5 and Mint.HTTP1.decode_trailer_headers/4 functions in lib/mint/http1.ex accumulate every parsed response header and chunked-trailer field into a per-request list that persists across incoming TCP segments as request.headers_buffer, and only clear it when the terminating blank line is received. A malicious HTTP server can stream complete header lines indefinitely without emitting the terminating blank line, causing the connection state to grow without bound until the BEAM node is killed by the operating system's out-of-memory handler.

Defensive priority

High priority should be given to updating elixir-mint mint to version 1.9.2 or later.

Recommended defensive actions

  • Update elixir-mint mint to version 1.9.2 or later
  • Monitor for suspicious HTTP traffic
  • Implement memory limits and monitoring for BEAM nodes
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-14T09:16:41.313Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The Mint.HTTP1.decode_headers/5 and Mint.HTTP1.decode_trailer_headers/4 functions in lib/mint/http1.ex accumulate every parsed response header and chunked-trailer field into a per-request list that persists across incoming TCP segments as request.headers_buffer, and only clear it when the terminating blank line is received. A malicious HTTP server can stream complete header lines indefinitely without emitting the terminating blank line, causing the connection state to grow without bound until the BEAM node is killed by the operating system's out-of-memory handler.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T09:16:41.313Z and has not been modified since then. The NVD entry is currently Received.