CVE-2026-58226
Elixir-Mint · HPAX
The Elixir-Mint HPAX library contains an inefficient algorithmic complexity vulnerability allowing unauthenticated denial-of-service via unbounded HPACK integer decoding.
Executive summary
An unauthenticated denial-of-service vulnerability exists in the Elixir-Mint HPAX library due to improper handling of HPACK integer decoding, risking service availability.
Vulnerability
The vulnerability (CWE-407) occurs because the HPAX library performs unbounded decoding of HPACK integers. An unauthenticated attacker can send a specially crafted request that forces the application into an expensive computational loop, exhausting system resources.
Business impact
The ability for an unauthenticated attacker to trigger a denial-of-service via network-based requests poses a high risk to availability. With a CVSS score of 8.7, this vulnerability could be leveraged to disrupt critical services that depend on the HPAX library for HTTP/2 header compression, leading to significant operational downtime.
Remediation
Immediate Action: Update the HPAX library to version 1.0.4 or the latest available patch to enforce proper integer decoding bounds.
Proactive Monitoring: Review network and application logs for abnormal patterns in incoming HTTP requests that may indicate attempts to exploit HPACK decoding processes.
Compensating Controls: Deploy a Web Application Firewall (WAF) configured to inspect and block malformed HTTP/2 requests or those containing suspicious header structures.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the ease of exploitation and the potential for complete service disruption, organizations should treat this as a high-priority update. Ensure that all dependencies relying on the HPAX library are audited and updated to the secure version immediately.