Description
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.

The fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process.

Because the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.

This issue affects bandit: from 0.5.0 before 1.11.0.
Published: 2026-05-01
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Bandit’s WebSocket implementation permits an attacker to send an unbounded series of continuation frames without setting the final bit, causing the library to append each payload to a per‑connection iolist without a cumulative size limit. This can grow the BEAM heap linearly until it exhausts available memory, resulting in the process being killed by the OS or a supervisor. The vulnerability is triggered by unauthenticated remote clients and can be used to cause a denial of service on the affected node.

Affected Systems

mtrudel:bandit versions from 0.5.0 up to but not including 1.11.0 are affected. Applications that embed Bandit, such as Phoenix Channels and LiveView, inherit the same vulnerability when they accept WebSocket connections.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity for resource exhaustion. EPSS is not available, but the lack of a limit on memory usage suggests the attack surface is exploitable with minimal effort, likely over the network. The issue is not listed in KEV, yet the ability to crash a node quickly makes it attractive to attackers seeking to disrupt service. The attack vector is remote unauthenticated connections sending continuous WebSocket continuation frames, particularly over Bandit‑powered Phoenix or LiveView applications.

Generated by OpenCVE AI on May 1, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bandit to version 1.11.0 or newer, where the fragment reassembly path now enforces a cumulative size cap on continuous frames.
  • Update any dependent frameworks, such as Phoenix or LiveView, to versions that use the patched Bandit library to ensure the fix propagates.
  • If an immediate upgrade is not feasible, consider configuring network‑level rate limiting or a reverse proxy that rejects WebSocket continuations exceeding a reasonable threshold to mitigate memory exhaustion.

Generated by OpenCVE AI on May 1, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process. Because the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections. This issue affects bandit: from 0.5.0 before 1.11.0.
Title WebSocket fragmented message reassembly unbounded in bandit
First Time appeared Mtrudel
Mtrudel bandit
Weaknesses CWE-770
CPEs cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*
Vendors & Products Mtrudel
Mtrudel bandit
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mtrudel Bandit
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-02T04:17:26.677Z

Reserved: 2026-04-29T18:06:33.251Z

Link: CVE-2026-42786

cve-icon Vulnrichment

Updated: 2026-05-02T01:16:34.837Z

cve-icon NVD

Status : Received

Published: 2026-05-01T21:16:17.347

Modified: 2026-05-02T02:16:00.467

Link: CVE-2026-42786

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T23:00:14Z

Weaknesses