{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-42786", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-04-29T18:06:33.251Z", "datePublished": "2026-05-01T20:34:17.014Z", "dateUpdated": "2026-05-04T17:11:36.814Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.hex.pm", "cpes": ["cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.Bandit.WebSocket.Connection'"], "packageName": "bandit", "packageURL": "pkg:hex/bandit", "product": "bandit", "programFiles": ["lib/bandit/websocket/connection.ex"], "programRoutines": [{"name": "'Elixir.Bandit.WebSocket.Connection':handle_frame/3"}], "repo": "https://github.com/mtrudel/bandit", "vendor": "mtrudel", "versions": [{"lessThan": "1.11.0", "status": "affected", "version": "0.5.0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.Bandit.WebSocket.Connection'"], "packageName": "mtrudel/bandit", "packageURL": "pkg:github/mtrudel/bandit", "product": "bandit", "programFiles": ["lib/bandit/websocket/connection.ex"], "programRoutines": [{"name": "'Elixir.Bandit.WebSocket.Connection':handle_frame/3"}], "repo": "https://github.com/mtrudel/bandit", "vendor": "mtrudel", "versions": [{"lessThan": "21612c7c7b1ce43eccd36d3af3a2299d23513667", "status": "affected", "version": "8909391f486d42138c5308410bc5ea49a65f4d46", "versionType": "git"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The application must accept WebSocket connections. Applications that expose no WebSocket endpoints are not affected.</p>"}], "value": "The application must accept WebSocket connections. Applications that expose no WebSocket endpoints are not affected."}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.11.0", "versionStartIncluding": "0.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Ullrich"}, {"lang": "en", "type": "remediation developer", "value": "Mat Trudel"}, {"lang": "en", "type": "analyst", "value": "Jonatan M\u00e4nnchen"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.<p>The fragment reassembly path in <tt>'Elixir.Bandit.WebSocket.Connection':handle_frame/3</tt> in <tt>lib/bandit/websocket/connection.ex</tt> appends every incoming <tt>Continuation{fin: false}</tt> frame's payload to a per-connection iolist with no cumulative size cap. The existing <tt>max_frame_size</tt> option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting <tt>fin=1</tt> grows BEAM heap linearly until the OS or a supervisor kills the process.</p><p>Because the accumulation happens before <tt>WebSock.handle_in/2</tt> is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over <tt>WebSock</tt> on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.</p><p>This issue affects bandit: from 0.5.0 before 1.11.0.</p>"}], "value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.\n\nThe fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process.\n\nBecause the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.\n\nThis issue affects bandit: from 0.5.0 before 1.11.0."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV4_0": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-05-04T17:11:36.814Z"}, "references": [{"tags": ["vendor-advisory", "related"], "url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p"}, {"tags": ["related"], "url": "https://cna.erlef.org/cves/CVE-2026-42786.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42786"}, {"tags": ["patch"], "url": "https://github.com/mtrudel/bandit/commit/21612c7c7b1ce43eccd36d3af3a2299d23513667"}], "source": {"discovery": "EXTERNAL"}, "title": "WebSocket fragmented message reassembly unbounded in bandit", "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"references": [{"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-02T01:15:58.376139Z", "id": "CVE-2026-42786", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-02T01:16:39.704Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42786", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-02T01:15:58.376139Z"}}}], "references": [{"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-02T01:16:34.837Z"}}], "cna": {"title": "WebSocket fragmented message reassembly unbounded in bandit", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Peter Ullrich"}, {"lang": "en", "type": "remediation developer", "value": "Mat Trudel"}, {"lang": "en", "type": "analyst", "value": "Jonatan M\u00e4nnchen"}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"], "repo": "https://github.com/mtrudel/bandit", "vendor": "mtrudel", "modules": ["'Elixir.Bandit.WebSocket.Connection'"], "product": "bandit", "versions": [{"status": "affected", "version": "0.5.0", "lessThan": "1.11.0", "versionType": "semver"}], "packageURL": "pkg:hex/bandit", "packageName": "bandit", "programFiles": ["lib/bandit/websocket/connection.ex"], "collectionURL": "https://repo.hex.pm", "defaultStatus": "unaffected", "programRoutines": [{"name": "'Elixir.Bandit.WebSocket.Connection':handle_frame/3"}]}, {"cpes": ["cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"], "repo": "https://github.com/mtrudel/bandit", "vendor": "mtrudel", "modules": ["'Elixir.Bandit.WebSocket.Connection'"], "product": "bandit", "versions": [{"status": "affected", "version": "8909391f486d42138c5308410bc5ea49a65f4d46", "lessThan": "21612c7c7b1ce43eccd36d3af3a2299d23513667", "versionType": "git"}], "packageURL": "pkg:github/mtrudel/bandit", "packageName": "mtrudel/bandit", "programFiles": ["lib/bandit/websocket/connection.ex"], "collectionURL": "https://github.com", "defaultStatus": "unaffected", "programRoutines": [{"name": "'Elixir.Bandit.WebSocket.Connection':handle_frame/3"}]}], "references": [{"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p", "tags": ["vendor-advisory", "related"]}, {"url": "https://cna.erlef.org/cves/CVE-2026-42786.html", "tags": ["related"]}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42786", "tags": ["related"]}, {"url": "https://github.com/mtrudel/bandit/commit/21612c7c7b1ce43eccd36d3af3a2299d23513667", "tags": ["patch"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.\n\nThe fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process.\n\nBecause the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.\n\nThis issue affects bandit: from 0.5.0 before 1.11.0.", "supportingMedia": [{"type": "text/html", "value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.<p>The fragment reassembly path in <tt>'Elixir.Bandit.WebSocket.Connection':handle_frame/3</tt> in <tt>lib/bandit/websocket/connection.ex</tt> appends every incoming <tt>Continuation{fin: false}</tt> frame's payload to a per-connection iolist with no cumulative size cap. The existing <tt>max_frame_size</tt> option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting <tt>fin=1</tt> grows BEAM heap linearly until the OS or a supervisor kills the process.</p><p>Because the accumulation happens before <tt>WebSock.handle_in/2</tt> is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over <tt>WebSock</tt> on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.</p><p>This issue affects bandit: from 0.5.0 before 1.11.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "configurations": [{"lang": "en", "value": "The application must accept WebSocket connections. Applications that expose no WebSocket endpoints are not affected.", "supportingMedia": [{"type": "text/html", "value": "<p>The application must accept WebSocket connections. Applications that expose no WebSocket endpoints are not affected.</p>", "base64": false}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.11.0", "versionStartIncluding": "0.5.0"}], "operator": "OR"}], "operator": "AND"}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-05-04T17:11:36.814Z"}}}, "cveMetadata": {"cveId": "CVE-2026-42786", "state": "PUBLISHED", "dateUpdated": "2026-05-04T17:11:36.814Z", "dateReserved": "2026-04-29T18:06:33.251Z", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "datePublished": "2026-05-01T20:34:17.014Z", "assignerShortName": "EEF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.\n\nThe fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process.\n\nBecause the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.\n\nThis issue affects bandit: from 0.5.0 before 1.11.0."}], "id": "CVE-2026-42786", "lastModified": "2026-05-05T19:37:28.367", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2026-05-01T21:16:17.347", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2026-42786.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/mtrudel/bandit/commit/21612c7c7b1ce43eccd36d3af3a2299d23513667"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42786"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

{"bugzilla": {"description": "bandit: Bandit: Denial of Service via uncontrolled memory growth in WebSocket connections", "id": "2464587", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464587"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in bandit. A remote, unauthenticated attacker can exploit an Allocation of Resources Without Limits or Throttling vulnerability in the fragment reassembly path of the WebSocket connection handling. This allows the attacker to send an unbounded number of continuation frames, leading to uncontrolled memory growth and ultimately a denial of service (DoS) by exhausting system resources."], "name": "CVE-2026-42786", "public_date": "2026-05-01T20:34:17Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-42786\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42786\nhttps://cna.erlef.org/cves/CVE-2026-42786.html\nhttps://github.com/mtrudel/bandit/commit/21612c7c7b1ce43eccd36d3af3a2299d23513667\nhttps://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p\nhttps://osv.dev/vulnerability/EEF-CVE-2026-42786"], "statement": "This IMPORTANT DoS vulnerability in Bandit's WebSocket handling allows unauthenticated memory exhaustion via unbounded continuation frames. Unlike CVE-2026-39804, this affects stock Phoenix and LiveView applications since accumulation happens before WebSock.handle_in is called. Impact is high availability loss. Affects Bandit versions 0.5.0 to before 1.11.0.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.5.0,1.11.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "bandit", "source": "cna", "vendor": "mtrudel"}, "product": "bandit", "vendor": "mtrudel"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8909391f486d42138c5308410bc5ea49a65f4d46,1.11.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "bandit", "source": "cna", "vendor": "mtrudel"}, "product": "bandit", "vendor": "mtrudel"}], "created": "2026-05-01T23:00:14.018237+00:00", "updated": "2026-05-04T16:07:20.353069+00:00", "vendors": ["mtrudel", "mtrudel$PRODUCT$bandit"]}