Memory Exhaustion Vulnerability in Elixir Bandit Product by mtrudel
CVE-2026-42788

6.9MEDIUM

Key Information:

Vendor: Mtrudel
Status: Bandit
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-42788?

An allocation of resources without limits or throttling vulnerability exists in the Elixir Bandit product, where the deserialization process of oversized HTTP/2 frames can lead to memory exhaustion. The issue arises when the frame size check occurs only after requiring the entire frame body in memory, enabling attackers to exploit this flaw by sending oversized frames. By establishing multiple concurrent connections, an unauthorized user can cause the server to exceed its memory capacity, resulting in denial of service and system instability. This vulnerability affects versions 0.3.6 to just below 1.11.0.

Affected Version(s)

bandit 0.3.6 < 1.11.0

bandit f00dd69a5b2a4863be585907acd853c4ffd41399 < 1.11.0

References

https://github.com/mtrudel/bandit/security/advisories/GHS...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-42788.html

https://osv.dev/vulnerability/EEF-CVE-2026-42788

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

Peter Ullrich

Mat Trudel

Jonatan Männchen

CVE-2026-42788 Data

JSON

Mtrudel

What is CVE-2026-42788?

Affected Version(s)

References

CVSS V4

Timeline

Credit