The vulnerability CVE-2026-42786 in mtrudel bandit (versions 0.5.0 to before 1.11.0) is due to the lack of limits on resource allocation during WebSocket fragment reassembly. The function 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 appends payloads of continuation frames with fin=false to a per-connection iolist without enforcing a maximum cumulative size. While individual frames are limited by max_frame_size, an attacker can send an unbounded stream of continuation frames without fin=1, causing linear growth of the BEAM heap memory until the process is terminated by the OS or supervisor. This memory exhaustion leads to denial of service. Because accumulation occurs before the WebSock.handle_in/2 call, applications have no opportunity to check or limit the size, exposing Phoenix applications that use Bandit to this risk.

An unauthenticated remote attacker can exploit this vulnerability to cause a denial of service by exhausting server memory through sending a continuous stream of WebSocket continuation frames without the fin flag set. This results in the targeted process's BEAM heap growing without bound until it is killed, disrupting service availability for applications using Bandit for WebSocket connections, including Phoenix Channels and LiveView. There is no indication of data confidentiality or integrity impact.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider implementing external protections such as limiting WebSocket connection rates or employing upstream WebSocket proxies that enforce frame size and connection duration limits. Monitor for updates from the mtrudel bandit project for an official patch or temporary fix.