DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-42788: CVE-2026-42788: HTTP/2 Frame Size Limit Bypass and Memory Exhaustion in Bandit

#security #cve #cybersecurity

CVE-2026-42788: HTTP/2 Frame Size Limit Bypass and Memory Exhaustion in Bandit

Vulnerability ID: CVE-2026-42788
CVSS Score: 6.9
Published: 2026-05-07

CVE-2026-42788 is a critical resource management vulnerability in the Bandit HTTP server for Elixir. The flaw exists within the HTTP/2 frame deserialization logic, where binary pattern matching defers size validation until after memory allocation. This allows an unauthenticated remote attacker to cause memory exhaustion and Denial of Service by transmitting oversized HTTP/2 frames.

TL;DR

Unauthenticated remote attackers can trigger Denial of Service in the Bandit Elixir HTTP server via memory exhaustion by sending oversized HTTP/2 frames, bypassing size limits due to deferred buffer validation in pattern matching.

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network
  • CVSS v4.0: 6.9
  • EPSS Score: 0.00017
  • Impact: Denial of Service (DoS)
  • Exploit Status: None
  • CISA KEV: Not Listed

Affected Systems

  • bandit (Elixir HTTP server)
  • bandit: 0.3.6 <= version < 1.11.0 (Fixed in: 1.11.0)

Code Analysis

Commit: 1e8e559

Fix for HTTP/2 frame size limit bypassed by late buffer check

@@ -0,0 +1,7 @@
+def deserialize(
+      <<length::24, _type::8, _flags::8, _reserved::1, _stream_id::31, rest::binary>>,
+      max_frame_size
+    )
+    when length > max_frame_size do
+  {{:error, Bandit.HTTP2.Errors.frame_size_error(), "Payload size too large (RFC9113ยง4.2)"},
+   rest}
+end
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade the bandit dependency to version 1.11.0 or later.
  • Implement rate limiting and connection concurrency limits at the reverse proxy or WAF layer.
  • Enforce process-level memory limits using containerization policies (e.g., cgroups, Kubernetes resource quotas).

Remediation Steps:

  1. Modify the mix.exs file in the Elixir project to require bandit version >= 1.11.0.
  2. Execute mix deps.get and mix deps.compile to fetch and compile the updated dependency.
  3. Verify the update by inspecting the mix.lock file ensuring the bandit version reflects 1.11.0.
  4. Deploy the updated application build to staging, test HTTP/2 functionality, and proceed to production deployment.

References

Read the full report for CVE-2026-42788 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)