CVE-2026-39806

HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-835 — CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

• CAPEC-469 — CAPEC-469 HTTP DoS

CVSS 4.0 Score

8.7

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability description

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.

'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.

A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.

This issue affects bandit: from 1.6.1 before 1.11.1.

Affected

pkg:hex/bandit

Module	Source File	Routine
Bandit.HTTP1.Socket	lib/bandit/http1/socket.ex	Bandit.HTTP1.Socket.do_read_chunked_data!/5

Status	Type	Version	Changes / Fixed in
affected	semver ⓘ	1.6.1	< 1.11.1

pkg:github/mtrudel/bandit

Module	Source File	Routine
Bandit.HTTP1.Socket	lib/bandit/http1/socket.ex	Bandit.HTTP1.Socket.do_read_chunked_data!/5

Status	Type	Version	Changes / Fixed in
affected	git ⓘ	e73e379ab5	< ae3520dfdb

References

• https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf vendor-advisory related
• https://osv.dev/vulnerability/EEF-CVE-2026-39806 related
• https://github.com/mtrudel/bandit/commit/ae3520dfdbfab115c638f8c7f6f6b805db34e1ab patch

Credits

• Finder: Peter Ullrich
• Remediation developer: Mat Trudel
• Analyst: Jonatan Männchen

CVE record as JSON:  GET /cves/CVE-2026-39806.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-39806.json