PatchSiren cyber security CVE debrief
CVE-2026-58229 elixir-mint CVE debrief
A vulnerability in elixir-mint mint allows a remote HTTP server to exhaust memory on the client host and cause a denial of service. The Mint.HTTP1.decode_headers/5 and Mint.HTTP1.decode_trailer_headers/4 functions accumulate every parsed response header and chunked-trailer field into a per-request list that persists across incoming TCP segments as request.headers_buffer, and only clear it when the terminating blank line is received. This issue affects mint: from 0.1.0 before 1.9.2. Users of elixir-mint mint, especially those using it as an HTTP client in their applications, should be aware of this vulnerability and take necessary actions to protect themselves.
- Vendor
- elixir-mint
- Product
- mint
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Users of elixir-mint mint, especially those using it as an HTTP client in their applications, should be aware of this vulnerability and take necessary actions to protect themselves. This includes updating elixir-mint mint to version 1.9.2 or later, monitoring for suspicious HTTP traffic, and implementing memory limits and monitoring for BEAM nodes.
Technical summary
The Mint.HTTP1.decode_headers/5 and Mint.HTTP1.decode_trailer_headers/4 functions in lib/mint/http1.ex accumulate every parsed response header and chunked-trailer field into a per-request list that persists across incoming TCP segments as request.headers_buffer, and only clear it when the terminating blank line is received. A malicious HTTP server can stream complete header lines indefinitely without emitting the terminating blank line, causing the connection state to grow without bound until the BEAM node is killed by the operating system's out-of-memory handler.
Defensive priority
High priority should be given to updating elixir-mint mint to version 1.9.2 or later.
Recommended defensive actions
- Update elixir-mint mint to version 1.9.2 or later
- Monitor for suspicious HTTP traffic
- Implement memory limits and monitoring for BEAM nodes
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-14T09:16:41.313Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The Mint.HTTP1.decode_headers/5 and Mint.HTTP1.decode_trailer_headers/4 functions in lib/mint/http1.ex accumulate every parsed response header and chunked-trailer field into a per-request list that persists across incoming TCP segments as request.headers_buffer, and only clear it when the terminating blank line is received. A malicious HTTP server can stream complete header lines indefinitely without emitting the terminating blank line, causing the connection state to grow without bound until the BEAM node is killed by the operating system's out-of-memory handler.
Official resources
-
CVE-2026-58229 CVE record
CVE.org
-
CVE-2026-58229 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T09:16:41.313Z and has not been modified since then. The NVD entry is currently Received.