Bandit WebSocket flaws allow unauthenticated memory exhaustion
Two high-severity denial-of-service vulnerabilities have been disclosed in mtrudel Bandit that let unauthenticated remote attackers exhaust server memory through WebSocket handling. CVE-2026-42786 affects Bandit versions 0.5.0 before 1.11.0 and stems from unbounded accumulation of fragmented WebSocket continuation frames in Elixir.Bandit.WebSocket.Connection.handle_frame/3; Bandit appends fragments to a per-connection iolist without any cumulative size limit, so an attacker can keep sending fin: false frames until the BEAM node runs out of memory. The issue occurs before WebSock.handle_in/2 is reached, preventing application-level checks from stopping the buildup, and it can expose Phoenix Channels and LiveView deployments that accept socket connections.
A second flaw, CVE-2026-39804, affects Bandit versions 0.5.9 before 1.11.0 and is caused by unbounded decompression in Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2, where :zlib.inflate/2 is used without an output-size cap before the payload is converted into a single binary. A small compressed WebSocket frame can therefore trigger massive memory allocation and potentially an out-of-memory kill before application code executes. This issue is limited to deployments that enable WebSocket compression at both the Bandit server level (websocket_options.compress) and during upgrade (compress: true in WebSockAdapter.upgrade/4); stock Phoenix and LiveView defaults are reported as unaffected because compression is disabled by default.
Timeline
May 1, 2026
CVE-2026-39804 disclosed for unbounded permessage-deflate inflation
CVE-2026-39804 was recorded as a high-severity denial-of-service flaw in Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2. When Bandit's WebSocket compression is enabled, a small compressed frame can decompress into a massive payload and exhaust memory before application code runs.
May 1, 2026
CVE-2026-42786 disclosed for unbounded WebSocket fragment reassembly
CVE-2026-42786 was recorded as a high-severity denial-of-service flaw in Elixir.Bandit.WebSocket.Connection.handle_frame/3. An unauthenticated remote attacker can send unlimited continuation frames with fin: false to force unbounded memory allocation before application-level checks occur.
May 1, 2026
Bandit releases fixes for two WebSocket DoS flaws in version 1.11.0
Two denial-of-service vulnerabilities affecting mtrudel Bandit were disclosed as fixed in Bandit 1.11.0: one involving unbounded WebSocket fragmented-message reassembly and another involving unbounded permessage-deflate decompression. The issues affect Bandit versions before 1.11.0, with impacted ranges starting at 0.5.0 for fragmented reassembly and 0.5.9 for permessage-deflate inflation.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
DoS Flaws in Micronaut and Netty Let Remote Attackers Exhaust Server Resources
Two high-severity denial-of-service vulnerabilities were disclosed in widely used Java infrastructure components, allowing remote attackers to exhaust CPU and memory and disrupt application availability without authentication. In Micronaut, `CVE-2026-33013` affects versions before `4.10.16` and `3.10.5` and is caused by improper handling of descending array indices during `application/x-www-form-urlencoded` body binding in `JsonBeanPropertyBinder::expandArrayToThreshold`. A crafted request using indexed parameters such as `authors[1].name` followed by `authors[0].name` can trigger a non-terminating loop, CPU exhaustion, and an `OutOfMemoryError`. Netty separately patched `CVE-2026-33871`, a denial-of-service flaw in HTTP/2 processing that affects versions before `4.1.132.Final` and `4.2.10.Final`. The bug lets attackers flood servers with `CONTINUATION` frames because the framework did not enforce a limit on their number, and existing size-based protections could be bypassed with zero-byte frames. The result is excessive CPU consumption with minimal bandwidth, potentially leaving HTTP/2 services unresponsive. The issues are tracked as `CWE-835` in Micronaut and `CWE-770` in Netty, and both vendors released fixed versions for affected branches.
1 months ago
libp2p-rust Gossipsub PRUNE Backoff Flaws Enable Remote DoS
Two high-severity flaws in the Rust implementation of **libp2p** allow remote peers to crash applications using the **Gossipsub** protocol by sending crafted `PRUNE` control messages with extremely large backoff values. **CVE-2026-33040** affects versions prior to `0.49.3`, where unchecked time arithmetic in the networking state machine can panic and cause a denial of service, while **CVE-2026-34219** affects versions prior to `0.49.4` through improper backoff expiry handling that triggers an `Instant + Duration` integer overflow during heartbeat processing. The bugs are reachable over normal Gossipsub peer connectivity, including TCP sessions using Noise with `mplex` or `yamux`, and do not require traditional authentication beyond establishing a protocol peer relationship. Both issues are classified under **CWE-190** for integer overflow, with the newer advisory also citing **CWE-617**, and both primarily impact availability by enabling unauthenticated or minimally authenticated remote attackers to force panics in exposed services. Maintainers patched the issues in **libp2p-rust** versions `0.49.3` and `0.49.4`, respectively.
1 months ago
Critical Mbed TLS Flaws Enable Buffer Overflow and Potential Code Execution
Two high-severity vulnerabilities were disclosed in **Mbed TLS**, including a buffer overflow in FFDH public key export tracked as `CVE-2026-34875` and a memory-corruption issue tied to serialized SSL context or session structures tracked as `CVE-2026-34877`. The first flaw affects **Mbed TLS through 3.6.5** and **TF-PSA-Crypto 1.0.0**, while the second impacts **Mbed TLS 2.19.0 through 3.6.5** as well as **4.0.0**. Both issues were assigned a `CVSS v3.1` score vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating remotely exploitable conditions with low attack complexity and high impact on confidentiality, integrity, and availability. `CVE-2026-34875` is classified under **CWE-120** and occurs during export of FFDH public keys, creating a buffer overflow condition. `CVE-2026-34877` is associated with **CWE-502** and **CWE-250** and can lead to arbitrary code execution if an attacker can alter serialized SSL context or session data before it is processed. Mbed TLS security advisories were published for both flaws, putting organizations that embed the library in network-facing products, cryptographic services, or TLS-enabled applications on notice to review affected versions and vendor guidance immediately.
1 months ago