{"vulnerability": "CVE-2026-42788", "sightings": [{"uuid": "a4682fcf-2105-4378-8410-20d6e69df383", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42788", "type": "seen", "source": "https://gist.github.com/alon710/60dab51279f6b991c4df239e6fd329b2", "content": "# CVE-2026-42788: CVE-2026-42788: HTTP/2 Frame Size Limit Bypass and Memory Exhaustion in Bandit\n\n> **CVSS Score:** 6.9\n> **Published:** 2026-05-07\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42788\n\n## Summary\nCVE-2026-42788 is a critical resource management vulnerability in the Bandit HTTP server for Elixir. The flaw exists within the HTTP/2 frame deserialization logic, where binary pattern matching defers size validation until after memory allocation. This allows an unauthenticated remote attacker to cause memory exhaustion and Denial of Service by transmitting oversized HTTP/2 frames.\n\n## TL;DR\nUnauthenticated remote attackers can trigger Denial of Service in the Bandit Elixir HTTP server via memory exhaustion by sending oversized HTTP/2 frames, bypassing size limits due to deferred buffer validation in pattern matching.\n\n## Technical Details\n\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network\n- **CVSS v4.0**: 6.9\n- **EPSS Score**: 0.00017\n- **Impact**: Denial of Service (DoS)\n- **Exploit Status**: None\n- **CISA KEV**: Not Listed\n\n## Affected Systems\n\n- bandit (Elixir HTTP server)\n- **bandit**: 0.3.6 <= version < 1.11.0 (Fixed in: `1.11.0`)\n\n## Mitigation\n\n- Upgrade the bandit dependency to version 1.11.0 or later.\n- Implement rate limiting and connection concurrency limits at the reverse proxy or WAF layer.\n- Enforce process-level memory limits using containerization policies (e.g., cgroups, Kubernetes resource quotas).\n\n**Remediation Steps:**\n1. Modify the mix.exs file in the Elixir project to require bandit version >= 1.11.0.\n2. Execute `mix deps.get` and `mix deps.compile` to fetch and compile the updated dependency.\n3. Verify the update by inspecting the mix.lock file ensuring the bandit version reflects 1.11.0.\n4. Deploy the updated application build to staging, test HTTP/2 functionality, and proceed to production deployment.\n\n## References\n\n- [GitHub Advisory: GHSA-q6v9-r226-v65f](https://github.com/mtrudel/bandit/security/advisories/GHSA-q6v9-r226-v65f)\n- [Erlang Ecosystem Foundation CNA Advisory](https://cna.erlef.org/cves/CVE-2026-42788.html)\n- [OSV Record: EEF-CVE-2026-42788](https://osv.dev/vulnerability/EEF-CVE-2026-42788)\n- [CVE.org Record: CVE-2026-42788](https://www.cve.org/CVERecord?id=CVE-2026-42788)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42788) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-07T04:10:29.000000Z"}]}