Veröffentlicht am von ms-freelancer

CVE-2026-42786 – WebSocket fragmented message reassembly unbounded in bandit

CVE ID :CVE-2026-42786

Published : May 1, 2026, 9:16 p.m. | 1 hour, 3 minutes ago

Description :Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.

The fragment reassembly path in ‚Elixir.Bandit.WebSocket.Connection‘:handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame’s payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process.

Because the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.

This issue affects bandit: from 0.5.0 before 1.11.0.

Severity: 8.7 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…