PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59246 elixir-mint CVE debrief

CVE-2026-59246: A remote HTTP/2 server can exhaust memory on the client host and cause a denial of service due to an allocation of resources without limits in Elixir Mint. The vulnerability exists in the Mint.HTTP2.handle_continuation/3 function, which accumulates header-block fragments carried by each HTTP/2 CONTINUATION frame into a growing conn.headers_being_processed nesting. A malicious HTTP/2 server can open a stream by sending a HEADERS frame without END_HEADERS and then stream zero-length CONTINUATION frames indefinitely, leading to memory exhaustion and eventual out-of-memory termination.

Vendor
elixir-mint
Product
mint
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-14
Advisory published
2026-07-14
Advisory updated
2026-07-14

Who should care

Users of Elixir Mint, particularly those who handle HTTP/2 requests, should be aware of this vulnerability and take steps to mitigate it. This includes updating to a patched version of Mint (1.9.2 or later) and implementing compensating controls to detect and prevent potential attacks.

Technical summary

The vulnerability exists in the Mint.HTTP2.handle_continuation/3 function, which accumulates header-block fragments carried by each HTTP/2 CONTINUATION frame into a growing conn.headers_being_processed nesting. A malicious HTTP/2 server can open a stream by sending a HEADERS frame without END_HEADERS and then stream zero-length CONTINUATION frames indefinitely, leading to memory exhaustion and eventual out-of-memory termination. The issue affects mint from 0.1.0 before 1.9.2.

Defensive priority

High

Recommended defensive actions

  • Update to a patched version of Mint (1.9.2 or later)
  • Implement compensating controls to detect and prevent potential attacks
  • Monitor for suspicious HTTP/2 traffic
  • Perform regular security audits and vulnerability assessments
  • Review and update incident response plans
  • Conduct vulnerability scanning and penetration testing
  • Track and analyze network traffic for anomalies

Evidence notes

The CVE record was published on 2026-07-14T09:16:41.727Z and has not been modified since then. The NVD entry is currently Received. The vulnerability has a CVSS score of 6.3 and a severity of MEDIUM. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected systems, review vendor guidance, and monitor for potential attacks.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T09:16:41.727Z and has not been modified since then. The NVD entry is currently Received.