CVE-2026-39806: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') in mtrudel bandit
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection. A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement. This issue affects bandit: from 1.6.1 before 1.11.1.
AI Analysis
Technical Summary
The vulnerability in mtrudel bandit occurs in the Elixir.Bandit.HTTP1.Socket module's do_read_chunked_data!/5 function, which mishandles chunked HTTP requests containing trailer fields. The function expects the last chunk line to be immediately followed by an empty trailer line, but RFC 9112 allows multiple trailer fields in between. When trailers are present, none of the pattern matches apply, leading to a recursive call with unchanged state and no progress, effectively causing an infinite loop. This pins the worker process for the duration of the TCP connection. Multiple concurrent connections with such requests can exhaust the worker pool, resulting in a denial of service. This affects bandit versions from 1.6.1 up to but not including 1.11.1.
Potential Impact
An unauthenticated remote attacker can cause a denial of service by sending a small number of concurrent chunked HTTP requests containing trailer fields. This exhausts the server's worker pool by pinning worker processes in an infinite loop, rendering the server unresponsive to legitimate traffic. Servers behind proxies that forward trailer-bearing requests (e.g., NGINX, HAProxy) may be affected even without malicious client activity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider mitigating by limiting or filtering HTTP requests with chunked transfer encoding containing trailer fields at the proxy or firewall level to prevent triggering the infinite loop condition. Monitor for updates from the mtrudel bandit project regarding patches or official workarounds.
CVE-2026-39806: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') in mtrudel bandit
Description
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection. A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement. This issue affects bandit: from 1.6.1 before 1.11.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in mtrudel bandit occurs in the Elixir.Bandit.HTTP1.Socket module's do_read_chunked_data!/5 function, which mishandles chunked HTTP requests containing trailer fields. The function expects the last chunk line to be immediately followed by an empty trailer line, but RFC 9112 allows multiple trailer fields in between. When trailers are present, none of the pattern matches apply, leading to a recursive call with unchanged state and no progress, effectively causing an infinite loop. This pins the worker process for the duration of the TCP connection. Multiple concurrent connections with such requests can exhaust the worker pool, resulting in a denial of service. This affects bandit versions from 1.6.1 up to but not including 1.11.1.
Potential Impact
An unauthenticated remote attacker can cause a denial of service by sending a small number of concurrent chunked HTTP requests containing trailer fields. This exhausts the server's worker pool by pinning worker processes in an infinite loop, rendering the server unresponsive to legitimate traffic. Servers behind proxies that forward trailer-bearing requests (e.g., NGINX, HAProxy) may be affected even without malicious client activity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider mitigating by limiting or filtering HTTP requests with chunked transfer encoding containing trailer fields at the proxy or firewall level to prevent triggering the infinite loop condition. Monitor for updates from the mtrudel bandit project regarding patches or official workarounds.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-04-07T12:28:54.916Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0488f0cbff5d8610d62f9e
Added to database: 5/13/2026, 2:21:36 PM
Last enriched: 5/13/2026, 2:36:29 PM
Last updated: 5/13/2026, 3:23:02 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.