CVE-2026-42786: Unbounded WebSocket Fragmented Message Reassembly Denial of Service in Bandit
Vulnerability ID: CVE-2026-42786
CVSS Score: 8.7
Published: 2026-05-07
An unauthenticated remote denial of service vulnerability exists in the Bandit HTTP server due to unbounded resource allocation during WebSocket fragment reassembly. Attackers can trigger complete memory exhaustion by streaming continuous WebSocket frames without the finalization bit, causing the Erlang virtual machine to crash.
TL;DR
Bandit < 1.11.0 fails to limit cumulative size of fragmented WebSocket messages, allowing unauthenticated attackers to cause an Out-of-Memory (OOM) denial of service by sending infinite continuation frames.
Technical Details
- CWE ID: CWE-770
- Attack Vector: Network (Unauthenticated)
- CVSS 4.0 Score: 8.7 (High)
- EPSS Percentile: 17.28%
- Primary Impact: Denial of Service (OOM)
- Exploit Status: None (Theoretical PoC)
- CISA KEV: No
Affected Systems
- Bandit HTTP Server (0.5.0 up to 1.11.0)
- Phoenix Web Applications using vulnerable Bandit instances as the web server adapter
-
bandit: >= 0.5.0, < 1.11.0 (Fixed in:
1.11.0)
Code Analysis
Commit: 21612c7
Fix unbounded websocket fragmented message reassembly
Mitigation Strategies
- Upgrade bandit package to version 1.11.0 or higher
- Configure web application firewall (WAF) to inspect and limit abnormal WebSocket message continuation patterns
- Implement connection rate limiting and maximum connection duration timeouts
Remediation Steps:
- Update
mix.exsto requirebanditversion~> 1.11 - Run
mix deps.getandmix deps.compileto fetch and build the updated library - If the application legitimately handles WebSocket messages larger than 8MB, configure
max_fragmented_message_sizein the Bandit endpoint configuration - Deploy the application and monitor WebSocket connection metrics for unexpected termination errors (Code 1009)
References
Read the full report for CVE-2026-42786 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)