CVE-2026-39804: CVE-2026-39804: Remote Code Execution and DoS via Bandit WebSocket Permessage-Def…

1 / 2

CVE-2026-39804: CVE-2026-39804: Remote Code Execution and DoS via Bandit WebSocket Permessage-Deflate Resource Exhaustion

DEV Community·CVE Reports·26 days ago

#8Pu5hL70

#exploit #security #cve #cybersecurity #bandit #websocket

Reading 0:00

15s threshold

CVE-2026-39804: Remote Code Execution and DoS via Bandit WebSocket Permessage-Deflate Resource Exhaustion Vulnerability ID: CVE-2026-39804 CVSS Score: 8.2 Published: 2026-05-07 CVE-2026-39804 is a critical resource exhaustion vulnerability (CWE-770) affecting the Bandit Elixir HTTP server. By exploiting unbounded DEFLATE decompression in WebSocket frames, an unauthenticated attacker can crash the Erlang VM (BEAM) via a highly compressed decompression bomb. TL;DR Unauthenticated remote attackers can trigger a Denial of Service (OOM crash) in the Bandit web server by sending a highly compressed WebSocket frame, exhausting BEAM memory if permessage-deflate is enabled.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-39804: CVE-2026-39804: Remote Code Execution and DoS via Bandit WebSocket Permessage-Deflate Resource Exhaustion