CVE-2026-39806: DoS in Bandit HTTP1 Socket
Plattform
linux
Komponente
bandit
Behoben in
ae3520dfdbfab115c638f8c7f6f6b805db34e1ab
CVE-2026-39806 describes a denial-of-service (DoS) vulnerability discovered in Bandit, a functional HTTP proxy. This flaw allows an unauthenticated attacker to exhaust worker processes, effectively rendering the service unavailable. The vulnerability affects versions up to 1.6.1 and is due to an infinite loop condition in the HTTP/1.1 socket handling. A fix is available in version ae3520dfdbfab115c638f8c7f6f6b805db34e1ab.
Auswirkungen und Angriffsszenarien
The primary impact of CVE-2026-39806 is a denial-of-service. An attacker can trigger this vulnerability by sending specially crafted HTTP/1.1 requests with trailers. RFC 9112 permits trailers between the last-chunk line and the empty trailer line, but Bandit's implementation fails to handle this correctly, leading to an infinite loop. This loop consumes resources and eventually exhausts the available worker processes, preventing legitimate requests from being processed. The blast radius is limited to the affected Bandit instance, but widespread exploitation could impact multiple services relying on Bandit as a proxy. This vulnerability is similar in impact to other HTTP proxy DoS vulnerabilities, where crafted requests are used to overwhelm server resources.
Ausnutzungskontext
CVE-2026-39806 was published on 2026-05-13. There is no indication of this vulnerability being actively exploited in the wild. The vulnerability is not listed on KEV (Kernel Exploit Vulnerability) or EPSS (Exploit Prediction Scoring System). Public proof-of-concept (POC) code is currently unavailable, but the vulnerability description provides sufficient detail for attackers to develop their own exploits.
Bedrohungsanalyse
Exploit-Status
CISA SSVC
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
Mitigation und Workarounds
The recommended mitigation for CVE-2026-39806 is to upgrade Bandit to version ae3520dfdbfab115c638f8c7f6f6b805db34e1ab or later. If upgrading is not immediately feasible, consider implementing rate limiting on incoming HTTP/1.1 requests to mitigate the impact of potential exploitation. Additionally, deploying a Web Application Firewall (WAF) with rules to filter out requests containing excessive or malformed trailers could provide a temporary layer of protection. Monitor Bandit's resource usage (CPU, memory) for unusual spikes, which could indicate an ongoing attack. After upgrade, confirm by sending a valid HTTP/1.1 request with trailers and verifying that the worker processes remain stable.
So behebenwird übersetzt…
Actualice la biblioteca Bandit a la versión 1.11.1 o superior para mitigar la vulnerabilidad de denegación de servicio. Esta actualización corrige un bucle infinito en el decodificador HTTP/1 que puede ser explotado por solicitudes con campos de trailer.
Häufig gestellte Fragen
What is CVE-2026-39806 — DoS in Bandit HTTP1 Socket?
CVE-2026-39806 is a denial-of-service vulnerability in Bandit's HTTP/1.1 socket handling. An attacker can exhaust worker processes by sending crafted HTTP requests with trailers, leading to service disruption. Affected versions are up to 1.6.1.
Am I affected by CVE-2026-39806 in Bandit?
If you are running Bandit version 1.6.1 or earlier, you are potentially affected. Check your version using bandit --version.
How do I fix CVE-2026-39806 in Bandit?
Upgrade Bandit to version ae3520dfdbfab115c638f8c7f6f6b805db34e1ab or later. Consider rate limiting or WAF rules as temporary mitigations.
Is CVE-2026-39806 being actively exploited?
There is currently no public information indicating that CVE-2026-39806 is being actively exploited in the wild.
Where can I find the official Bandit advisory for CVE-2026-39806?
Refer to the official Bandit project repository and security advisories for the latest information: [https://github.com/mtrudel/bandit](https://github.com/mtrudel/bandit)
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...