CVE-2026-42786
Deferred Deferred - Pending Action
Denial of Service in Bandit via Unbounded Frame Accumulation

Publication date: 2026-05-01

Last updated on: 2026-05-05

Assigner: EEF

Description
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process. Because the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections. This issue affects bandit: from 0.5.0 before 1.11.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42786
EUVD
EUVD-2026-26715
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elixir bandit to 1.11.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Allocation of Resources Without Limits or Throttling issue in the mtrudel bandit library. It allows an unauthenticated remote attacker to cause a denial of service by exhausting memory.

Specifically, the fragment reassembly path in the 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 function appends every incoming Continuation frame's payload to a per-connection list without any cumulative size limit. While individual frames are limited by max_frame_size, an attacker can send an unbounded number of continuation frames without setting the fin flag to true, causing the BEAM heap to grow linearly until the operating system or supervisor kills the process.

Because this accumulation happens before the WebSock.handle_in/2 function is called, the application cannot check or limit the size, exposing this vulnerability to applications using Phoenix Channels and LiveView over Bandit.

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated remote attacker to cause a denial of service (DoS) on your system.

The attacker can exhaust the memory of the process handling WebSocket connections by sending a large number of continuation frames without limits, causing the process to be killed by the operating system or supervisor.

This can lead to service outages, degraded performance, and unavailability of applications relying on Bandit, including those using Phoenix Channels and LiveView.

Compliance Impact

The vulnerability allows unauthenticated remote denial of service via memory exhaustion, which could impact the availability of services running on affected versions of bandit. Since availability is a key aspect of many compliance standards such as GDPR and HIPAA, this vulnerability could potentially affect compliance by causing service disruptions.

However, the provided information does not explicitly describe the direct impact on compliance with specific standards or regulations like GDPR or HIPAA.

Detection Guidance

This vulnerability involves unbounded memory growth caused by streaming WebSocket continuation frames without a cumulative size limit. Detection on the network or system level is challenging because common deployment setups like load balancers or reverse proxies cannot detect or block the attack.

Since the issue occurs before application-level handlers are invoked and involves internal memory exhaustion in the BEAM process, direct detection commands are not provided in the available information.

Monitoring for unusually high memory usage or process restarts of the Bandit WebSocket server process could be an indirect way to detect exploitation attempts.

Mitigation Strategies

The vulnerability is fixed in Bandit version 1.11.0 by introducing a new configurable limit on the maximum size of fragmented WebSocket messages.

  • Upgrade Bandit to version 1.11.0 or later, which adds the `max_fragmented_message_size` option to limit cumulative message size and rejects zero-length non-final continuation frames.
  • Configure the `max_fragmented_message_size` option (default 8MB) to an appropriate limit for your environment to prevent memory exhaustion.
  • Ensure that connections exceeding the configured message size limit are closed with error code 1009, as implemented in the patch.

No other configuration options or network-level mitigations are effective, so upgrading and configuring the patched Bandit library is the recommended immediate step.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42786. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart