CVE-2026-39803: DoS in Bandit HTTP1 Socket
Platform
other
Component
bandit
Fixed in
ae3520dfdbfab115c638f8c7f6f6b805db34e1ab
CVE-2026-39803 describes a Denial of Service (DoS) vulnerability discovered in Bandit, a popular Elixir HTTP client. This flaw allows unauthenticated attackers to exhaust server memory by exploiting a lack of limits on chunked HTTP/1 request body sizes. The vulnerability affects versions prior to ae3520dfdbfab115c638f8c7f6f6b805db34e1ab. A fix has been released and upgrading is the recommended remediation.
Impact and Attack Scenarios
The core of the vulnerability lies in the doreadchunked_data!/5 function within Bandit's HTTP/1 socket handling. Instead of respecting a configured length limit, it unconditionally accumulates all received chunks into a single binary, regardless of size. An attacker can leverage this by sending a series of oversized chunked HTTP/1 requests. Each chunk is added to the accumulating binary, eventually leading to memory exhaustion on the server. This can cause Bandit to crash, become unresponsive, or significantly degrade performance, effectively denying service to legitimate users. The unauthenticated nature of the vulnerability means an attacker doesn't need credentials to trigger the DoS condition, widening the potential attack surface.
Exploitation Context
CVE-2026-39803 was published on 2026-05-13. Its severity is pending evaluation. There are currently no publicly available proof-of-concept (POC) exploits. It is not listed on KEV or EPSS. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Threat Intelligence
Exploit Status
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-39803 is to upgrade Bandit to version ae3520dfdbfab115c638f8c7f6f6b805db34e1ab or later. This version includes a fix that enforces the configured length limit when reading chunked HTTP/1 request bodies, preventing uncontrolled memory consumption. If an immediate upgrade is not possible, consider implementing rate limiting on incoming HTTP/1 requests to reduce the impact of potential attacks. Web application firewalls (WAFs) configured to detect and block oversized HTTP requests can also provide a temporary layer of protection. There are no specific Sigma or YARA rules available at this time, but monitoring memory usage on Bandit servers is recommended.
How to fix
Actualice la biblioteca Bandit a la versión 1.11.1 o superior para mitigar la vulnerabilidad de denegación de servicio. Esta actualización corrige el problema al limitar el tamaño del cuerpo de la solicitud HTTP/1, evitando el agotamiento de la memoria.
Frequently asked questions
What is CVE-2026-39803 — DoS in Bandit HTTP1 Socket?
CVE-2026-39803 is a Denial of Service vulnerability in Bandit, affecting versions before ae3520dfdbfab115c638f8c7f6f6b805db34e1ab. Attackers can trigger memory exhaustion by sending oversized chunked HTTP/1 requests, leading to service disruption.
Am I affected by CVE-2026-39803 in Bandit?
You are affected if you are using Bandit version 1.4.0–ae3520dfdbfab115c638f8c7f6f6b805db34e1ab or earlier. Check your Bandit version with elixir -v.
How do I fix CVE-2026-39803 in Bandit?
Upgrade Bandit to version ae3520dfdbfab115c638f8c7f6f6b805db34e1ab or later. This resolves the memory exhaustion vulnerability.
Is CVE-2026-39803 being actively exploited?
Currently, there are no publicly known active exploitation campaigns for CVE-2026-39803. However, it's crucial to apply the fix promptly to mitigate potential future attacks.
Where can I find the official Bandit advisory for CVE-2026-39803?
Refer to the official Bandit project repository and related security advisories for the most up-to-date information on CVE-2026-39803: [https://github.com/bandito/bandit](https://github.com/bandito/bandit)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...