CVE-2026-58226

Elixir-Mint · HPAX

The Elixir-Mint HPAX library contains an inefficient algorithmic complexity vulnerability allowing unauthenticated denial-of-service via unbounded HPACK integer decoding.

Executive summary

An unauthenticated denial-of-service vulnerability exists in the Elixir-Mint HPAX library due to improper handling of HPACK integer decoding, risking service availability.

Vulnerability

The vulnerability (CWE-407) occurs because the HPAX library performs unbounded decoding of HPACK integers. An unauthenticated attacker can send a specially crafted request that forces the application into an expensive computational loop, exhausting system resources.

Business impact

The ability for an unauthenticated attacker to trigger a denial-of-service via network-based requests poses a high risk to availability. With a CVSS score of 8.7, this vulnerability could be leveraged to disrupt critical services that depend on the HPAX library for HTTP/2 header compression, leading to significant operational downtime.

Remediation

Immediate Action: Update the HPAX library to version 1.0.4 or the latest available patch to enforce proper integer decoding bounds.

Proactive Monitoring: Review network and application logs for abnormal patterns in incoming HTTP requests that may indicate attempts to exploit HPACK decoding processes.

Compensating Controls: Deploy a Web Application Firewall (WAF) configured to inspect and block malformed HTTP/2 requests or those containing suspicious header structures.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the ease of exploitation and the potential for complete service disruption, organizations should treat this as a high-priority update. Ensure that all dependencies relying on the HPAX library are audited and updated to the secure version immediately.