CVE-2026-42788

Name of the Vulnerable Software and Affected Versions bandit versions 0.3.6 through 1.10.x

Description An issue in the deserialize/2 function within Elixir.Bandit.HTTP2.Frame allows unauthenticated memory exhaustion through oversized HTTP/2 frames. The system checks the SETTINGS MAX FRAME SIZE limit only after pattern-matching the payload size, requiring the entire frame body to be present in memory before the size guard is evaluated. This allows a peer to announce a frame length up to the 24-bit maximum (approximately 16 MiB), forcing the server to buffer the entire body regardless of the negotiated max frame size. An attacker maintaining multiple concurrent connections can cause significant memory pressure, leading to a denial of service.

Recommendations Update to version 1.11.0 or later.