EXECUTIVE SUMMARY:
CVE-2026-42786 with a CVSS score of 8.7 is a Consumption of Resources Without Limits or Throttling vulnerability in the Erlang Bandit package. This vulnerability allows an unauthenticated remote denial of service via memory exhaustion through the unbounded reassembly of WebSocket continuation frames. An attacker can exploit this issue by sending an unbounded number of continuation frames without ever setting the 'fin' field to true, causing the BEAM heap to grow linearly until the operating system or a supervisor terminates the process. As a result, a single unauthenticated WebSocket client can exhaust server memory in any Bandit-fronted application that accepts WebSocket connections. The business impact includes unauthenticated denial of service through memory exhaustion, potentially leading to out-of-memory kills of the host, especially in constrained or heavily loaded environments. The issue can persist across common deployment architectures such as L4 load balancers, HTTP reverse proxies, and TLS-terminating edge proxies, and requires no authentication or special conditions for exploitation.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-42786 with a CVSS score of 8.7 is a Consumption of Resources Without Limits or Throttling vulnerability in the Erlang Bandit package. This vulnerability allows an unauthenticated remote denial of service via memory exhaustion through the unbounded reassembly of WebSocket continuation frames. An attacker can exploit this issue by sending an unbounded number of continuation frames without ever setting the 'fin' field to true, causing the BEAM heap to grow linearly until the operating system or a supervisor terminates the process. As a result, a single unauthenticated WebSocket client can exhaust server memory in any Bandit-fronted application that accepts WebSocket connections. The business impact includes unauthenticated denial of service through memory exhaustion, potentially leading to out-of-memory kills of the host, especially in constrained or heavily loaded environments. The issue can persist across common deployment architectures such as L4 load balancers, HTTP reverse proxies, and TLS-terminating edge proxies, and requires no authentication or special conditions for exploitation.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update bandit to version 1.11.0 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-pf94-94m9-536p