CVE-2026-42786

Name of the Vulnerable Software and Affected Versions bandit versions 0.5.0 through 1.10.x

Description An unauthenticated remote attacker can cause a denial of service via memory exhaustion. The fragment reassembly path in the handle frame/3 function within Elixir.Bandit.WebSocket.Connection appends payloads from incoming Continuation{fin: false} frames to a per-connection iolist without a cumulative size limit. While the max frame size option limits individual frames, a peer can stream an unlimited number of continuation frames without setting fin=1, causing the BEAM heap to grow linearly until the process is terminated by the operating system or a supervisor. This accumulation occurs before WebSock.handle in/2 is called, preventing the application from implementing a size check. Consequently, stock Phoenix applications using Phoenix Channels and LiveView are exposed when accepting socket connections.

Recommendations Update to version 1.11.0 or later. As a temporary mitigation, ensure the application does not expose WebSocket endpoints if they are not required.