CVE-2026-42786: CWE-770 Allocation of Resources Without Limits or Throttling in mtrudel bandit
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process. Because the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections. This issue affects bandit: from 0.5.0 before 1.11.0.
AI Analysis
Technical Summary
The vulnerability CVE-2026-42786 in mtrudel bandit (0.5.0 to before 1.11.0) is due to allocation of resources without limits or throttling (CWE-770). Specifically, the fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 appends payloads from continuation frames with fin=false to a per-connection iolist without enforcing a cumulative size cap. While max_frame_size limits individual frames, it does not limit the total size of all continuation frames combined. An attacker can send an unbounded stream of continuation frames without fin=1, causing linear growth of the BEAM heap memory until the OS or supervisor kills the process. This vulnerability affects applications using Bandit for WebSocket handling, including Phoenix Channels and LiveView, exposing them to remote denial of service.
Potential Impact
An unauthenticated remote attacker can cause a denial of service by sending a continuous stream of WebSocket continuation frames without the fin flag set, leading to unbounded memory consumption in the Bandit WebSocket connection handler. This memory exhaustion can crash the affected process or degrade system performance. The vulnerability affects all applications using Bandit versions from 0.5.0 before 1.11.0, including Phoenix Channels and LiveView, which rely on Bandit for WebSocket handling.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. There is no official fix or patch link provided at this time. Until a patch is available, consider implementing external WebSocket frame size monitoring or limiting connection durations at the application or infrastructure level to mitigate potential denial of service. Monitor vendor channels for updates and apply official fixes once released.
CVE-2026-42786: CWE-770 Allocation of Resources Without Limits or Throttling in mtrudel bandit
Description
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process. Because the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections. This issue affects bandit: from 0.5.0 before 1.11.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-42786 in mtrudel bandit (0.5.0 to before 1.11.0) is due to allocation of resources without limits or throttling (CWE-770). Specifically, the fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 appends payloads from continuation frames with fin=false to a per-connection iolist without enforcing a cumulative size cap. While max_frame_size limits individual frames, it does not limit the total size of all continuation frames combined. An attacker can send an unbounded stream of continuation frames without fin=1, causing linear growth of the BEAM heap memory until the OS or supervisor kills the process. This vulnerability affects applications using Bandit for WebSocket handling, including Phoenix Channels and LiveView, exposing them to remote denial of service.
Potential Impact
An unauthenticated remote attacker can cause a denial of service by sending a continuous stream of WebSocket continuation frames without the fin flag set, leading to unbounded memory consumption in the Bandit WebSocket connection handler. This memory exhaustion can crash the affected process or degrade system performance. The vulnerability affects all applications using Bandit versions from 0.5.0 before 1.11.0, including Phoenix Channels and LiveView, which rely on Bandit for WebSocket handling.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. There is no official fix or patch link provided at this time. Until a patch is available, consider implementing external WebSocket frame size monitoring or limiting connection durations at the application or infrastructure level to mitigate potential denial of service. Monitor vendor channels for updates and apply official fixes once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-04-29T18:06:33.251Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f5124bcbff5d86105840ea
Added to database: 5/1/2026, 8:51:23 PM
Last enriched: 5/1/2026, 9:06:21 PM
Last updated: 5/1/2026, 9:56:41 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.