CVE-2026-59246: A remote HTTP/2 server can exhaust memory on the client host and cause a denial of service due to an allocation of resources without limits in Elixir Mint. The vulnerability exists in the Mint.HTTP2.handle_continuation/3 function, which accumulates header-block fragments carried by each HTTP/2 CONTINUATION frame into a growing conn.headers_being_processed nesting. A malicious HTTP/2 server [truncated]
A vulnerability in elixir-mint mint allows a remote HTTP server to exhaust memory on the client host and cause a denial of service. The Mint.HTTP1.decode_headers/5 and Mint.HTTP1.decode_trailer_headers/4 functions accumulate every parsed response header and chunked-trailer field into a per-request list that persists across incoming TCP segments as request.headers_buffer, and only clear it when the termina [truncated]