CVE-2026-42786: CVE-2026-42786: Unbounded WebSocket Fragmented Message Reassembly Denial of Servi…

1 / 2

CVE-2026-42786: CVE-2026-42786: Unbounded WebSocket Fragmented Message Reassembly Denial of Service in Bandit

DEV Community·CVE Reports·26 days ago

#nEp0wZEx

#security #cve #cybersecurity #software #bandit #websocket

Reading 0:00

15s threshold

CVE-2026-42786: Unbounded WebSocket Fragmented Message Reassembly Denial of Service in Bandit Vulnerability ID: CVE-2026-42786 CVSS Score: 8.7 Published: 2026-05-07 An unauthenticated remote denial of service vulnerability exists in the Bandit HTTP server due to unbounded resource allocation during WebSocket fragment reassembly. Attackers can trigger complete memory exhaustion by streaming continuous WebSocket frames without the finalization bit, causing the Erlang virtual machine to crash. TL;DR Bandit < 1.11.0 fails to limit cumulative size of fragmented WebSocket messages, allowing unauthenticated attackers to cause an Out-of-Memory (OOM) denial of service by sending infinite continuation frames.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-42786: CVE-2026-42786: Unbounded WebSocket Fragmented Message Reassembly Denial of Service in Bandit