{"containers":{"cna":{"affected":[{"collectionURL":"https://repo.hex.pm","cpes":["cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","modules":["'Elixir.Bandit.WebSocket.Connection'"],"packageName":"bandit","packageURL":"pkg:hex/bandit","product":"bandit","programFiles":["lib/bandit/websocket/connection.ex"],"programRoutines":[{"name":"'Elixir.Bandit.WebSocket.Connection':handle_frame/3"}],"repo":"https://github.com/mtrudel/bandit","vendor":"mtrudel","versions":[{"lessThan":"1.11.0","status":"affected","version":"0.5.0","versionType":"semver"}]},{"collectionURL":"https://github.com","cpes":["cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","modules":["'Elixir.Bandit.WebSocket.Connection'"],"packageName":"mtrudel/bandit","packageURL":"pkg:github/mtrudel/bandit","product":"bandit","programFiles":["lib/bandit/websocket/connection.ex"],"programRoutines":[{"name":"'Elixir.Bandit.WebSocket.Connection':handle_frame/3"}],"repo":"https://github.com/mtrudel/bandit","vendor":"mtrudel","versions":[{"lessThan":"1.11.0","status":"affected","version":"8909391f486d42138c5308410bc5ea49a65f4d46","versionType":"git"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>The application must accept WebSocket connections. Applications that expose no WebSocket endpoints are not affected.</p>"}],"value":"The application must accept WebSocket connections. Applications that expose no WebSocket endpoints are not affected."}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*","versionEndExcluding":"1.11.0","versionStartIncluding":"0.5.0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"AND"}],"credits":[{"lang":"en","type":"finder","value":"Peter Ullrich"},{"lang":"en","type":"remediation developer","value":"Mat Trudel"},{"lang":"en","type":"analyst","value":"Jonatan Männchen"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.<p>The fragment reassembly path in <tt>'Elixir.Bandit.WebSocket.Connection':handle_frame/3</tt> in <tt>lib/bandit/websocket/connection.ex</tt> appends every incoming <tt>Continuation{fin: false}</tt> frame's payload to a per-connection iolist with no cumulative size cap. The existing <tt>max_frame_size</tt> option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting <tt>fin=1</tt> grows BEAM heap linearly until the OS or a supervisor kills the process.</p><p>Because the accumulation happens before <tt>WebSock.handle_in/2</tt> is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over <tt>WebSock</tt> on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.</p><p>This issue affects bandit: from 0.5.0 before 1.11.0.</p>"}],"value":"Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.\n\nThe fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process.\n\nBecause the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.\n\nThis issue affects bandit: from 0.5.0 before 1.11.0."}],"impacts":[{"capecId":"CAPEC-130","descriptions":[{"lang":"en","value":"CAPEC-130 Excessive Allocation"}]}],"metrics":[{"cvssV4_0":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.7,"baseSeverity":"HIGH","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-770","description":"CWE-770 Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-01T20:34:17.014Z","orgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","shortName":"EEF"},"references":[{"tags":["vendor-advisory","related"],"url":"https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p"},{"tags":["related"],"url":"https://cna.erlef.org/cves/CVE-2026-42786.html"},{"tags":["related"],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-42786"},{"tags":["patch"],"url":"https://github.com/mtrudel/bandit/commit/21612c7c7b1ce43eccd36d3af3a2299d23513667"}],"source":{"discovery":"EXTERNAL"},"title":"WebSocket fragmented message reassembly unbounded in bandit","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","assignerShortName":"EEF","cveId":"CVE-2026-42786","datePublished":"2026-05-01T20:34:17.014Z","dateReserved":"2026-04-29T18:06:33.251Z","dateUpdated":"2026-05-01T20:34:17.014Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"}