8.7
HIGH CVSS 4.0
CVE-2026-56810
mint buffers an entire chunked response chunk in memory in Mint.HTTP1.decode_body/5
Description

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (Mint.HTTP1 module) allows a denial of service via an oversized chunked transfer-encoded response. This vulnerability is associated with program files lib/mint/http1.ex and program routines 'Elixir.Mint.HTTP1':decode_body/5, 'Elixir.Mint.HTTP1':add_body_to_buffer/2. When Mint decodes a chunked HTTP response body, it accumulates each partial fragment of the current chunk in the connection's data_buffer (an unbounded iolist) via add_body_to_buffer/2 and does not emit the data to the caller until the full declared chunk length has been received. The chunk size is taken directly from the server and parsed with no upper bound, so a malicious or compromised server can announce one enormous chunk (for example a size line of 7FFFFFFF, about 2 GiB) and then send the body bytes slowly without ever completing the chunk. The client buffers every received byte while it waits for a completion that never arrives, and because no data responses are produced until the chunk finishes, a caller that otherwise streams large content-length bodies safely gains no protection. An unauthenticated remote server (reachable whenever a client follows redirects, fetches user-supplied URLs, or processes webhooks) can drive the client's memory arbitrarily high and trigger an out-of-memory condition. This issue affects mint: from 0.5.0 before 1.9.1.

INFO

Published Date :

July 6, 2026, 11:16 a.m.

Last Modified :

July 6, 2026, 11:16 a.m.

Remotely Exploit :

Yes !

Source :

6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Affected Products

The following products are affected by CVE-2026-56810 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Elixir-mint mint
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 4.0 HIGH 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS 4.0 HIGH 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Solution
Update mint to version 1.9.1 or later to prevent resource exhaustion from oversized chunked responses.
  • Update the mint library to version 1.9.1 or newer.
  • Apply input validation for chunk sizes.
  • Implement resource limits for data buffering.
References to Advisories, Solutions, and Tools
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-56810 is associated with the following CWEs:

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-56810 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2026-56810 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • New CVE Received by 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

    Jul. 06, 2026

    Action Type Old Value New Value
    Added Affected [{'cpes': ['cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*'], 'repo': 'https://github.com/elixir-mint/mint', 'vendor': 'elixir-mint', 'modules': ["'Elixir.Mint.HTTP1'"], 'product': 'mint', 'versions': [{'status': 'affected', 'version': '0.5.0', 'lessThan': '1.9.1', 'versionType': 'semver'}], 'packageURL': 'pkg:hex/mint', 'packageName': 'mint', 'programFiles': ['lib/mint/http1.ex'], 'collectionURL': 'https://repo.hex.pm', 'defaultStatus': 'unaffected', 'programRoutines': [{'name': "'Elixir.Mint.HTTP1':decode_body/5"}, {'name': "'Elixir.Mint.HTTP1':add_body_to_buffer/2"}]}, {'cpes': ['cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*'], 'repo': 'https://github.com/elixir-mint/mint', 'vendor': 'elixir-mint', 'modules': ["'Elixir.Mint.HTTP1'"], 'product': 'mint', 'versions': [{'status': 'affected', 'version': 'c575d819d39ebf7e9b77ec24584a5ffbb11c844e', 'lessThan': '193ce714907d16e8adc4ab3c40e4f0c2f045b2a6', 'versionType': 'git'}], 'packageURL': 'pkg:github/elixir-mint/mint', 'packageName': 'elixir-mint/mint', 'programFiles': ['lib/mint/http1.ex'], 'collectionURL': 'https://github.com', 'defaultStatus': 'unaffected', 'programRoutines': [{'name': "'Elixir.Mint.HTTP1':decode_body/5"}, {'name': "'Elixir.Mint.HTTP1':add_body_to_buffer/2"}]}]
    Added Description Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (Mint.HTTP1 module) allows a denial of service via an oversized chunked transfer-encoded response. This vulnerability is associated with program files lib/mint/http1.ex and program routines 'Elixir.Mint.HTTP1':decode_body/5, 'Elixir.Mint.HTTP1':add_body_to_buffer/2. When Mint decodes a chunked HTTP response body, it accumulates each partial fragment of the current chunk in the connection's data_buffer (an unbounded iolist) via add_body_to_buffer/2 and does not emit the data to the caller until the full declared chunk length has been received. The chunk size is taken directly from the server and parsed with no upper bound, so a malicious or compromised server can announce one enormous chunk (for example a size line of 7FFFFFFF, about 2 GiB) and then send the body bytes slowly without ever completing the chunk. The client buffers every received byte while it waits for a completion that never arrives, and because no data responses are produced until the chunk finishes, a caller that otherwise streams large content-length bodies safely gains no protection. An unauthenticated remote server (reachable whenever a client follows redirects, fetches user-supplied URLs, or processes webhooks) can drive the client's memory arbitrarily high and trigger an out-of-memory condition. This issue affects mint: from 0.5.0 before 1.9.1.
    Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CWE CWE-770
    Added Reference https://cna.erlef.org/cves/CVE-2026-56810.html
    Added Reference https://github.com/elixir-mint/mint/commit/193ce714907d16e8adc4ab3c40e4f0c2f045b2a6
    Added Reference https://github.com/elixir-mint/mint/security/advisories/GHSA-c59h-fq4p-r36r
    Added Reference https://osv.dev/vulnerability/EEF-CVE-2026-56810
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.