CVE-2026-39803: DoS in Bandit via Memory Exhaustion
Plattform
other
Komponente
bandit
Behoben in
ae3520dfdbfab115c638f8c7f6f6b805db34e1ab
CVE-2026-39803 describes a Denial of Service (DoS) vulnerability in Bandit, specifically within the HTTP/1 socket reading functionality. An unauthenticated attacker can trigger memory exhaustion by sending crafted chunked HTTP requests, leading to a service disruption. This vulnerability affects versions of Bandit prior to 1.4.0 and is fixed in version ae3520dfdbfab115c638f8c7f6f6b805db34e1ab.
Auswirkungen und Angriffsszenarien
Successful exploitation of CVE-2026-39803 allows an attacker to cause a Denial of Service (DoS) in Bandit. By sending specially crafted chunked HTTP requests, the attacker can exhaust the server's memory resources, leading to service unavailability. This can disrupt legitimate traffic and prevent users from accessing the Bandit proxy. The impact is particularly severe in production environments where Bandit is critical for traffic management and security.
Ausnutzungskontext
CVE-2026-39803 was published on 2026-05-13. The EPSS score is likely medium, indicating a moderate probability of exploitation. No public Proof-of-Concept (POC) exploits have been identified at this time. Refer to the official Bandit advisory for more details.
Bedrohungsanalyse
Exploit-Status
CISA SSVC
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
Mitigation und Workarounds
The primary mitigation is to upgrade Bandit to version ae3520dfdbfab115c638f8c7f6f6b805db34e1ab or later. If immediate upgrade is not possible, consider implementing rate limiting on incoming HTTP requests to mitigate the impact of malicious requests. Monitor server memory usage and resource utilization to detect potential DoS attacks. After upgrading, confirm the fix by sending a large chunked HTTP request and verifying that the server does not exhaust memory.
So behebenwird übersetzt…
Actualice la biblioteca Bandit a la versión 1.11.1 o superior para mitigar la vulnerabilidad de denegación de servicio. Esta actualización corrige el problema al limitar el tamaño del cuerpo de la solicitud HTTP/1, evitando el agotamiento de la memoria.
Häufig gestellte Fragen
What is CVE-2026-39803 — DoS in Bandit via Memory Exhaustion?
CVE-2026-39803 is a DoS vulnerability in Bandit where attackers can cause memory exhaustion via chunked HTTP requests.
Am I affected by CVE-2026-39803 in Bandit?
If you are using Bandit versions prior to 1.4.0, you are likely affected.
How do I fix CVE-2026-39803 in Bandit?
Upgrade Bandit to version ae3520dfdbfab115c638f8c7f6f6b805db34e1ab or later.
Is CVE-2026-39803 being actively exploited?
Currently, there are no known active exploitation campaigns or public POCs for CVE-2026-39803.
Where can I find the official Bandit advisory for CVE-2026-39803?
Refer to the Bandit project's official website or repository for any published advisories related to CVE-2026-39803.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...