CVE-2026-56810: Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (Mint.HTTP1 module) allows a denial of service via an oversized chunked transfer-encoded resp
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (Mint.HTTP1 module) allows a denial of service via an oversized chunked transfer-encoded response.
This vulnerability is associated with program files lib/mint/http1.ex and program routines 'Elixir.Mint.HTTP1':decode_body/5, 'Elixir.Mint.HTTP1':add_body_to_buffer/2.
When Mint decodes a chunked HTTP response body, it accumulates each partial fragment of the current chunk in the connection's data_buffer (an unbounded iolist) via add_body_to_buffer/2 and does not emit the data to the caller until the full declared chunk length has been received. The chunk size is taken directly from the server and parsed with no upper bound, so a malicious or compromised server can announce one enormous chunk (for example a size line of 7FFFFFFF, about 2 GiB) and then send the body bytes slowly without ever completing the chunk. The client buffers every received byte while it waits for a completion that never arrives, and because no data responses are produced until the chunk finishes, a caller that otherwise streams large content-length bodies safely gains no protection. An unauthenticated remote server (reachable whenever a client follows redirects, fetches user-supplied URLs, or processes webhooks) can drive the client's memory arbitrarily high and trigger an out-of-memory condition.
This issue affects mint: from 0.5.0 before 1.9.1.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-56810
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-568100.34% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 26% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-56810 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for Allocation of Resources
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- highCVE-2026-40006: Memory Allocation with Excessive Size Value, Allocation of Resources Without Limits or Throttl…nvd · 2026-07-10
- highCVE-2026-31984: A denial-of-service vulnerability caused by unbounded resource allocation was discovered in th…nvd · 2026-07-09
- highCVE-2026-56811: Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix…nvd · 2026-07-07
- mediumCVE-2026-56149: Allocation of Resources Without Limits or Throttling in Elasticsearch Leading to Denial of Ser…msrc · 2026-07-02
- highCVE-2026-54428: Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache Htt…nvd · 2026-07-01
- mediumCVE-2026-49090: Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service v…nvd · 2026-07-01
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11