CVE-2026-42786

Name of the Vulnerable Software and Affected Versions bandit versions 0.5.0 through 1.10.x

Description An allocation of resources without limits or throttling allows unauthenticated remote denial of service via memory exhaustion. The fragment reassembly path in the handle frame/3 function within 'Elixir.Bandit.WebSocket.Connection' appends every incoming Continuation frame payload where fin is false to a per-connection iolist without a cumulative size cap. While the max frame size option limits individual frames, a remote actor can stream an unbounded number of continuation frames without setting fin=1, causing the BEAM heap to grow linearly until the process is terminated by the operating system or a supervisor. This accumulation occurs before the handle in/2 function is called, preventing the application from implementing a size check. Consequently, stock Phoenix applications using Phoenix Channels or LiveView are exposed upon accepting socket connections. This issue specifically affects applications that accept WebSocket connections.

Recommendations Update bandit to version 1.11.0 or later. As a temporary mitigation, disable WebSocket endpoints if they are not required by the application.