CVE-2026-42786
EPSS 0.1%Real vuln, clear patch available, but no weaponization signal; mostly feed chatter.
What: Unbounded WebSocket frame reassembly in Bandit (Elixir web server) versions 0.5.0–<1.11.0 allows unauthenticated remote DoS via memory exhaustion; affects Phoenix and LiveView applications directly.
Why it matters: Published May 1, 2026; no KEV listing yet but high-severity resource-exhaustion flaw in widely-deployed framework. No public PoC observed in chatter, but vulnerability is straightforward to trigger—continuation frames without size limits. Phoenix/LiveView users are already being advised to patch or limit connections. Vendor (mtrudel) has patched in 1.11.0.
Where it's seen: Initial disclosure posts on Twitter and Bluesky linking to CVE feeds and threat radar; mostly rebroadcasting the NVD description. Defender guidance surfacing ("monitor usage, limit connections"). No PoC code or mass-scanning reports yet.
RISK: HIGH — Trivial DoS against any Phoenix/LiveView app accepting WebSocket without per-connection frame-count limits.
AttackerKB
view on attackerkb.com →Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process. Because the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections. This issue affects bandit: from 0.5.0 before 1.11.0.
Articles & coverage 5 articles
- The most severe Linux threat to surface in years catches the world ...
Publicly released exploit code for an effectively unpatched vulnerability that gives root access to virtually all releases of Linux is setting off alarm bells as defenders scramble to ward off severe compromises inside data centers and on personal devices. The vulnerability and exploit code that exploits it were released Wednesday evening by researchers from security firm Theori, five weeks after
- CVE-2026-4786 Detail - NVD
| URL | Source(s) | Tag(s) | | --- | --- | --- | | | Python Software Foundation | | | | Python Software Foundation | | | | Python Software Foundation | | | | Python Software Foundation | | | | Python Software Foundation | | | | Python Software Foundation | | | | Python Software Foundation | | | [https://mail.python.org/archives/list/[email protected]/thread/JQDUNJVB4AQNTJECSUKOBDU3XC
- Copy Fail Explained [CVE-2026-31431] - YouTube
Copy Fail is the latest Linux privesc CVE, and it's a relatively simply exploit that overwrites files in the in-memory cache.
- SUSE responds to the copy.fail vulnerability
# SUSE responds to the copy.fail vulnerability. Copy Fail (tracked as CVE-2026-31431) is a critical vulnerability in the Linux kernel that allows a local non-root user to gain full root access to the system. * SLES 15 (all service packs, including Micro 5.x and openSUSE Leap 15.6). How it works: Uses a combination of the splice() system call and the AF\_ALG kernel encryption interface. Due to a 20
- New Linux 'Copy Fail' Vulnerability Enables Root Access on Major ...
[ Harvester Deploys Linux GoGr
› NVD details 1 CWE ·0 vendors · 4 refs expand
Description
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process. Because the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections. This issue affects bandit: from 0.5.0 before 1.11.0.
Weaknesses
Top posts driving the trend
- @offseq.bsky.socialBluesky · 5/2/2026
🚩 HIGH severity: mtrudel bandit 0.5.0 – <1.11.0 vulnerable to unauthenticated DoS via unbounded WebSocket frames. Phoenix & LiveView users: monitor usage and limit connections until patched. https://radar.offseq.com/threat/cve-2026-42786-cwe-770-allocation-of-resources-wit-56eb6fa8 #OffSeq #Secur...
♥ 4 · ↻ 0 · 💬 0 - @cve.skyfleet.blueBluesky · 5/1/2026
CVE-2026-42786 - WebSocket fragmented message reassembly unbounded in bandit CVE ID : CVE-2026-42786 Published : May 1, 2026, 9:16 p.m. | 1 hour, 3 minutes ago Description : Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unaut...
♥ 0 · ↻ 0 · 💬 0 - IN@infoflowcloudX · 5/1/2026
🚨*CVE* CVE-2026-42786 Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The fragm… https://t.co/baui3fN8SD ----- Traducción: CVE-2026-42786 Asi… https://t.co/utmtNgl3sv`
♥ 0 · ↻ 0 · 💬 0 - CV@CVEnewX · 5/1/2026
CVE-2026-42786 Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The fragm… https://t.co/yJd6BjlMB7
♥ 1 · ↻ 0 · 💬 0
