CVE-2026-42788: CWE-770 Allocation of Resources Without Limits or Throttling in mtrudel bandit
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated memory exhaustion via oversized HTTP/2 frames. 'Elixir.Bandit.HTTP2.Frame':deserialize/2 in lib/bandit/http2/frame.ex checks the SETTINGS_MAX_FRAME_SIZE limit only after pattern-matching payload::binary-size(length), which requires the entire frame body to be present in memory before either the accept or reject clause can fire. A peer that announces a frame length up to the 24-bit maximum (~16 MiB) causes the server to buffer that entire body before the size guard is evaluated, regardless of the max_frame_size negotiated during the HTTP/2 handshake (default 16 KiB per RFC 9113). An unauthenticated attacker holding many concurrent connections can force the server to buffer far more memory than the negotiated frame size limit should permit, leading to memory pressure and potential denial of service. This issue affects bandit: from 0.3.6 before 1.11.0.
AI Analysis
Technical Summary
The vulnerability arises from the Elixir.Bandit.HTTP2.Frame:deserialize/2 function, which pattern-matches the frame payload before checking the SETTINGS_MAX_FRAME_SIZE limit. This causes the server to allocate memory for the entire frame body regardless of the negotiated maximum frame size during the HTTP/2 handshake. An attacker can exploit this by sending frames with lengths up to the 24-bit maximum (~16 MiB), forcing the server to buffer large amounts of memory. Holding many concurrent connections with such frames can exhaust server memory, leading to denial of service. The flaw affects bandit versions starting at 0.3.6 and prior to 1.11.0.
Potential Impact
An unauthenticated attacker can cause memory exhaustion on the affected server by sending oversized HTTP/2 frames, potentially resulting in denial of service. The vulnerability bypasses the negotiated maximum frame size limit, allowing excessive memory allocation. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider limiting the number of concurrent HTTP/2 connections or implementing external protections such as rate limiting or upstream filtering to mitigate memory exhaustion risks.
CVE-2026-42788: CWE-770 Allocation of Resources Without Limits or Throttling in mtrudel bandit
Description
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated memory exhaustion via oversized HTTP/2 frames. 'Elixir.Bandit.HTTP2.Frame':deserialize/2 in lib/bandit/http2/frame.ex checks the SETTINGS_MAX_FRAME_SIZE limit only after pattern-matching payload::binary-size(length), which requires the entire frame body to be present in memory before either the accept or reject clause can fire. A peer that announces a frame length up to the 24-bit maximum (~16 MiB) causes the server to buffer that entire body before the size guard is evaluated, regardless of the max_frame_size negotiated during the HTTP/2 handshake (default 16 KiB per RFC 9113). An unauthenticated attacker holding many concurrent connections can force the server to buffer far more memory than the negotiated frame size limit should permit, leading to memory pressure and potential denial of service. This issue affects bandit: from 0.3.6 before 1.11.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from the Elixir.Bandit.HTTP2.Frame:deserialize/2 function, which pattern-matches the frame payload before checking the SETTINGS_MAX_FRAME_SIZE limit. This causes the server to allocate memory for the entire frame body regardless of the negotiated maximum frame size during the HTTP/2 handshake. An attacker can exploit this by sending frames with lengths up to the 24-bit maximum (~16 MiB), forcing the server to buffer large amounts of memory. Holding many concurrent connections with such frames can exhaust server memory, leading to denial of service. The flaw affects bandit versions starting at 0.3.6 and prior to 1.11.0.
Potential Impact
An unauthenticated attacker can cause memory exhaustion on the affected server by sending oversized HTTP/2 frames, potentially resulting in denial of service. The vulnerability bypasses the negotiated maximum frame size limit, allowing excessive memory allocation. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider limiting the number of concurrent HTTP/2 connections or implementing external protections such as rate limiting or upstream filtering to mitigate memory exhaustion risks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-04-29T18:06:33.251Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f5124bcbff5d86105840f0
Added to database: 5/1/2026, 8:51:23 PM
Last enriched: 5/1/2026, 9:06:45 PM
Last updated: 5/1/2026, 9:55:39 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.