Bug 2464587 (CVE-2026-42786) - CVE-2026-42786 bandit: Bandit: Denial of Service via uncontrolled memory growth in WebSocket connections
Summary: CVE-2026-42786 bandit: Bandit: Denial of Service via uncontrolled memory grow...
Keywords:
Status: NEW
Alias: CVE-2026-42786
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2477946
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-01 21:01 UTC by OSIDB Bzimport
Modified: 2026-05-15 18:03 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-01 21:01:35 UTC 
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.

The fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process.

Because the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.

This issue affects bandit: from 0.5.0 before 1.11.0.
Note You need to log in before you can comment on or make changes to this bug.