<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Fri, 17 Jul 2026 16:21:06 +0000</lastBuildDate>
    <item>
      <title>7d342c9c-2f14-42e0-b495-644396fad958</title>
      <link>https://vulnerability.circl.lu/sighting/7d342c9c-2f14-42e0-b495-644396fad958/export</link>
      <description>{"uuid": "7d342c9c-2f14-42e0-b495-644396fad958", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49754", "type": "seen", "source": "https://gist.github.com/alon710/e074ac5405ee20f6dd8bded11414265c", "content": "# CVE-2026-49754: CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint\n\n&amp;gt; **CVSS Score:** 8.2\n&amp;gt; **Published:** 2026-07-09\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-49754\n\n## Summary\nAn allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.\n\n## TL;DR\nAn unauthenticated, remote attacker can crash any Elixir application utilizing the Mint client library to establish HTTP/2 connections by hosting a malicious server that streams an infinite series of HTTP/2 CONTINUATION frames.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network\n- **CVSS v4.0 Score**: 8.2 (High)\n- **Exploit Maturity**: Proof-of-Concept (PoC)\n- **EPSS Score**: 0.00384\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Applications utilizing the Elixir Mint HTTP client library for outbound HTTP/2 connections.\n- **mint**: &amp;gt;= 0.1.0, &amp;lt; 1.9.0 (Fixed in: `1.9.0`)\n\n## Mitigation\n\n- Upgrade the Mint library dependency to version 1.9.0 or higher.\n- Restrict connection protocols to HTTP/1.1 when connecting to external or untrusted endpoints to bypass the HTTP/2 continuation frame logic.\n- Implement deep packet inspection or proxy limits on outbound HTTP/2 connections to enforce strict limits on continuous framing sequences.\n\n**Remediation Steps:**\n1. Open the Elixir project configuration file `mix.exs`.\n2. Locate the `deps` definition and update the `mint` dependency requirement to version `~&amp;gt; 1.9`.\n3. Run `mix deps.get` in your development terminal to download and integrate the updated version.\n4. Deploy the updated application build to production environments.\n5. For temporary emergency mitigations, modify connection calls in the application code to use the configuration option `protocols: [:http1]`.\n\n## References\n\n- [GitHub Advisory: Allocation of Resources Without Limits or Throttling in elixir-mint](https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8)\n- [Erlang Ecosystem Foundation Security Advisory](https://cna.erlef.org/cves/CVE-2026-49754.html)\n- [Open Source Vulnerability Database Entry](https://osv.dev/vulnerability/EEF-CVE-2026-49754)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49754) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T03:12:07.016256Z"}</description>
      <content:encoded>{"uuid": "7d342c9c-2f14-42e0-b495-644396fad958", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49754", "type": "seen", "source": "https://gist.github.com/alon710/e074ac5405ee20f6dd8bded11414265c", "content": "# CVE-2026-49754: CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint\n\n&amp;gt; **CVSS Score:** 8.2\n&amp;gt; **Published:** 2026-07-09\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-49754\n\n## Summary\nAn allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.\n\n## TL;DR\nAn unauthenticated, remote attacker can crash any Elixir application utilizing the Mint client library to establish HTTP/2 connections by hosting a malicious server that streams an infinite series of HTTP/2 CONTINUATION frames.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network\n- **CVSS v4.0 Score**: 8.2 (High)\n- **Exploit Maturity**: Proof-of-Concept (PoC)\n- **EPSS Score**: 0.00384\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Applications utilizing the Elixir Mint HTTP client library for outbound HTTP/2 connections.\n- **mint**: &amp;gt;= 0.1.0, &amp;lt; 1.9.0 (Fixed in: `1.9.0`)\n\n## Mitigation\n\n- Upgrade the Mint library dependency to version 1.9.0 or higher.\n- Restrict connection protocols to HTTP/1.1 when connecting to external or untrusted endpoints to bypass the HTTP/2 continuation frame logic.\n- Implement deep packet inspection or proxy limits on outbound HTTP/2 connections to enforce strict limits on continuous framing sequences.\n\n**Remediation Steps:**\n1. Open the Elixir project configuration file `mix.exs`.\n2. Locate the `deps` definition and update the `mint` dependency requirement to version `~&amp;gt; 1.9`.\n3. Run `mix deps.get` in your development terminal to download and integrate the updated version.\n4. Deploy the updated application build to production environments.\n5. For temporary emergency mitigations, modify connection calls in the application code to use the configuration option `protocols: [:http1]`.\n\n## References\n\n- [GitHub Advisory: Allocation of Resources Without Limits or Throttling in elixir-mint](https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8)\n- [Erlang Ecosystem Foundation Security Advisory](https://cna.erlef.org/cves/CVE-2026-49754.html)\n- [Open Source Vulnerability Database Entry](https://osv.dev/vulnerability/EEF-CVE-2026-49754)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49754) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T03:12:07.016256Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/7d342c9c-2f14-42e0-b495-644396fad958/export</guid>
      <pubDate>Fri, 10 Jul 2026 03:12:07 +0000</pubDate>
    </item>
    <item>
      <title>688e5fea-0e9b-4a28-ae73-efe9795714cb</title>
      <link>https://vulnerability.circl.lu/sighting/688e5fea-0e9b-4a28-ae73-efe9795714cb/export</link>
      <description>{"uuid": "688e5fea-0e9b-4a28-ae73-efe9795714cb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49754", "type": "published-proof-of-concept", "source": "https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8", "content": "", "creation_timestamp": "2026-07-10T00:35:16.905538Z"}</description>
      <content:encoded>{"uuid": "688e5fea-0e9b-4a28-ae73-efe9795714cb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49754", "type": "published-proof-of-concept", "source": "https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8", "content": "", "creation_timestamp": "2026-07-10T00:35:16.905538Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/688e5fea-0e9b-4a28-ae73-efe9795714cb/export</guid>
      <pubDate>Fri, 10 Jul 2026 00:35:16 +0000</pubDate>
    </item>
  </channel>
</rss>
