CVE-2026-42786: Bandit WebSocket Unbounded Fragment Accumulation OOM Vulnerability

# Bandit Buffer Overflow Vulnerability Summary ## Vulnerability Overview - **Vulnerability Name**: Bandit Unterminated WebSocket Continuation Frame Buffer Overflow Leading to OOM Host Kill - **CVE ID**: CVE-2026-42786 - **Severity**: High (8.7/10) - **Affected Versions**: >= 0.5.0 and < 1.11.0 - **Fixed Version**: 1.11.0 ## Impact Scope - Any Bandit frontend application that accepts WebSocket connections - A single unauthenticated WebSocket client can exhaust server memory - Attacker does not need to send `fin=1`, merely keeping the connection open is sufficient - Impacts Phoenix applications such as Phoenix Channels and LiveView - Not mitigated by load balancers, reverse proxies, or TLS termination processes ## Remediation - Upgrade to Bandit 1.11.0 - Configure `max_message_size` on the connection state - Terminate the connection with RFC 6455 code 1009 (`:max_message_size_exceeded`) when the limit is exceeded ## POC Code ```elixir # Bandit WebSocket fragmented-message accumulation PoC. # # lib/bandit/websocket/connection.ex:80-95 appends every incoming # continuation frame to connection.fragment_frame.data # as is, with no cumulative cap. max_frame_size only bounds "each" # frame. A peer that streams an unbounded number of max-sized continuations # without ever setting fin=1 grows the iolist linearly in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS kills the process. The eventual 10_024_to_binary/1 in BEAM memory until # the OS k

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-42786: Bandit WebSocket Unbounded Fragment Accumulation OOM Vulnerability

More from this source