CVE-2026-39806— HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit
Possible ATT&CK Techniques 1AI
T1499 · Endpoint Denial of ServiceGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-39806
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit
Source: NVD (National Vulnerability Database)
Vulnerability Description
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection. A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement. This issue affects bandit: from 1.6.1 before 1.11.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
不可达退出条件的循环(无限循环)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Bandit 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Bandit是Mat Trudel个人开发者的一款高性能HTTP与WebSocket服务器。 Bandit 1.6.1版本至1.11.1之前版本存在安全漏洞,该漏洞源于无限循环,可能导致未经身份验证的远程攻击者通过工作进程耗尽造成拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-39806
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-39806
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: bandit
- CVE-2026-39803
HTTP/1 chunked body reader ignores length cap in bandit - CVE-2026-39805
CL.CL HTTP request smuggling via duplicate Content-Length in - CVE-2026-39804
WebSocket permessage-deflate inflate has no output-size cap - CVE-2026-39807
Client-supplied URI scheme trusted without transport verific - CVE-2026-42786
WebSocket fragmented message reassembly unbounded in bandit
Same vendor: mtrudel
- CVE-2026-39803
HTTP/1 chunked body reader ignores length cap in bandit - CVE-2026-39805
CL.CL HTTP request smuggling via duplicate Content-Length in - CVE-2026-39804
WebSocket permessage-deflate inflate has no output-size cap - CVE-2026-39807
Client-supplied URI scheme trusted without transport verific - CVE-2026-42786
WebSocket fragmented message reassembly unbounded in bandit
Same weakness: CWE-835
- CVE-2026-42920
BIG-IP DTLS Vulnerability - CVE-2026-42781
BIG-IP FastL4 virtual server vulnerability - CVE-2026-44302
Snappier: Infinite loop in SnappyStream decompression on mal - CVE-2026-42899
ASP.NET Core Denial of Service Vulnerability - CVE-2026-34962
barebox ext4 Directory Parsing Infinite Loop Denial of Servi
V. Comments for CVE-2026-39806
No comments yet