CVE-2026-39806: DoS in Bandit HTTP1 Socket
Platform
linux
Component
bandit
Fixed in
ae3520dfdbfab115c638f8c7f6f6b805db34e1ab
CVE-2026-39806 describes a Denial of Service (DoS) vulnerability affecting Bandit, a popular Elixir HTTP client. This vulnerability allows unauthenticated attackers to exhaust worker processes by sending specially crafted HTTP/1.1 requests containing trailers. The issue impacts versions prior to ae3520dfdbfab115c638f8c7f6f6b805db34e1ab. A fix is available in version ae3520dfdbfab115c638f8c7f6f6b805db34e1ab.
Impact and Attack Scenarios
The vulnerability stems from how Bandit's HTTP1 socket handles chunked data and trailers according to RFC 9112. Specifically, the doreadchunked_data! function incorrectly terminates when trailers are present, leading to an infinite loop and subsequent exhaustion of worker processes. A successful attack can render the Bandit service unavailable, preventing legitimate requests from being processed. This could impact applications relying on Bandit for outgoing HTTP requests, potentially causing cascading failures within the system. The blast radius is limited to the availability of the Bandit client itself, but the impact can be significant if Bandit is a critical component in the application architecture.
Exploitation Context
The vulnerability was published on 2026-05-13. Severity is pending evaluation. No public Proof-of-Concept (PoC) code has been identified as of this writing. There are no indications of active exploitation campaigns targeting this vulnerability. Monitor the NVD and CISA advisories for updates.
Threat Intelligence
Exploit Status
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation is to upgrade Bandit to version ae3520dfdbfab115c638f8c7f6f6b805db34e1ab or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing rate limiting on incoming HTTP requests to the Bandit service to prevent a single attacker from overwhelming the worker processes. Additionally, configure a Web Application Firewall (WAF) to inspect HTTP/1.1 requests for unusually large trailer sections, which could indicate an attempted exploitation. There are no specific Sigma or YARA rules available at this time, but monitoring for excessive CPU usage by the Bandit worker processes is a good indicator of potential exploitation.
How to fix
Actualice la biblioteca Bandit a la versión 1.11.1 o superior para mitigar la vulnerabilidad de denegación de servicio. Esta actualización corrige un bucle infinito en el decodificador HTTP/1 que puede ser explotado por solicitudes con campos de trailer.
Frequently asked questions
What is CVE-2026-39806 — DoS in Bandit HTTP1 Socket?
CVE-2026-39806 is a Denial of Service vulnerability in Bandit, allowing attackers to exhaust worker processes via crafted HTTP/1.1 requests with trailers. It affects versions before ae3520dfdbfab115c638f8c7f6f6b805db34e1ab.
Am I affected by CVE-2026-39806 in Bandit?
You are affected if you are using Bandit versions prior to ae3520dfdbfab115c638f8c7f6f6b805db34e1ab. Check your installed version with elixir -v.
How do I fix CVE-2026-39806 in Bandit?
Upgrade Bandit to version ae3520dfdbfab115c638f8c7f6f6b805db34e1ab or later. Consider rate limiting and WAF rules as temporary mitigations.
Is CVE-2026-39806 being actively exploited?
There are currently no indications of active exploitation campaigns targeting CVE-2026-39806.
Where can I find the official Bandit advisory for CVE-2026-39806?
Refer to the official Bandit project repository and related Elixir community channels for updates and advisories related to CVE-2026-39806.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...