A resource exhaustion vulnerability in the elixir-mint HTTP client library, tracked as CVE-2026-48862, allows remote attackers to cause denial of service by sending attacker-controlled HTTP/2 frames that trigger uncontrolled resource consumption. The vulnerability carries a CVSS score of 8.2 and affects the mint library used by Elixir applications for HTTP client connections.

What Is the Vulnerability?

CVE-2026-48862 is an allocation of resources without limits or throttling vulnerability in elixir-mint’s HTTP/2 implementation. The mint library is a low-level HTTP client for the Elixir programming language, used by web applications, API clients, and service-to-service communication in the Elixir/BEAM ecosystem. The vulnerability allows a malicious HTTP/2 server — or a man-in-the-middle attacker who can inject HTTP/2 frames — to send crafted frames that cause the mint client to allocate excessive resources without throttling, leading to memory exhaustion and denial of service.

The vulnerability is particularly relevant for Elixir applications that make outbound HTTP/2 connections to external services, API endpoints, or user-supplied URLs. A compromised or malicious upstream service can exploit this vulnerability to crash the connecting Elixir application. In microservice architectures where Elixir services communicate via HTTP/2, a single compromised service could potentially impact dependent services through this vulnerability.

The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling):

• CVSS v3.1 Score: 8.2 (High)
• Attack Vector: Network (AV:N)
• Attack Complexity: Low (AC:L)
• Privileges Required: None (PR:N)
• User Interaction: None (UI:N)
• Impact: None on confidentiality, none on integrity, high on availability (C:N/I:N/A:H)

Which Versions Are Affected?

The vulnerability affects the elixir-mint HTTP client library. Administrators should update to the latest patched version of mint. Check the mint GitHub repository and Hex package registry for the specific fixed version.

Is It Being Exploited in the Wild?

No active exploitation has been publicly reported at the time of writing. However, HTTP/2 resource exhaustion vulnerabilities are well-understood and can be exploited by any upstream server an application connects to — making the attack surface broad for applications that communicate with external or user-specified services.

What Is the Fix?

Update the elixir-mint dependency in your Elixir project’s mix.exs file to the latest patched version. Run mix deps.update mint to apply the update. The fix is available through the Hex package manager. Verify the updated version in your mix.lock file after updating.

Recommendations

Update the mint dependency immediately. While this is a denial-of-service vulnerability rather than a data breach risk, the CVSS 8.2 score reflects the ease of exploitation — any attacker-controlled HTTP/2 server can trigger it. Elixir applications that make outbound connections to external services are directly exposed.

Audit your Elixir dependency tree. Check whether mint is a direct or transitive dependency in your applications. Even if you do not use mint directly, it may be pulled in by other HTTP client libraries in the Elixir ecosystem. Use mix deps.tree to identify all dependencies that bring in mint.

Implement resource limits at the application level. In addition to updating mint, configure timeouts and resource limits for outbound HTTP connections in your application. This provides defence-in-depth against resource exhaustion attacks targeting HTTP clients, regardless of the specific library vulnerability.

References

• NVD: CVE-2026-48862
• elixir-mint — Hex Package Registry
• Vulnerability Intelligence Report — June 3, 2026

---

This advisory is covered in the broader Vulnerability Intelligence Report — June 3, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.