{"vulnerability": "cve-2026-4278", "sightings": [{"uuid": "a69cfbcd-ec8a-4063-b745-010b81fc9ffa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4278", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mhwwvxa74w24", "content": "", "creation_timestamp": "2026-03-26T06:08:55.869104Z"}, {"uuid": "a4682fcf-2105-4378-8410-20d6e69df383", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42788", "type": "seen", "source": "https://gist.github.com/alon710/60dab51279f6b991c4df239e6fd329b2", "content": "# CVE-2026-42788: CVE-2026-42788: HTTP/2 Frame Size Limit Bypass and Memory Exhaustion in Bandit\n\n> **CVSS Score:** 6.9\n> **Published:** 2026-05-07\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42788\n\n## Summary\nCVE-2026-42788 is a critical resource management vulnerability in the Bandit HTTP server for Elixir. The flaw exists within the HTTP/2 frame deserialization logic, where binary pattern matching defers size validation until after memory allocation. This allows an unauthenticated remote attacker to cause memory exhaustion and Denial of Service by transmitting oversized HTTP/2 frames.\n\n## TL;DR\nUnauthenticated remote attackers can trigger Denial of Service in the Bandit Elixir HTTP server via memory exhaustion by sending oversized HTTP/2 frames, bypassing size limits due to deferred buffer validation in pattern matching.\n\n## Technical Details\n\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network\n- **CVSS v4.0**: 6.9\n- **EPSS Score**: 0.00017\n- **Impact**: Denial of Service (DoS)\n- **Exploit Status**: None\n- **CISA KEV**: Not Listed\n\n## Affected Systems\n\n- bandit (Elixir HTTP server)\n- **bandit**: 0.3.6 <= version < 1.11.0 (Fixed in: `1.11.0`)\n\n## Mitigation\n\n- Upgrade the bandit dependency to version 1.11.0 or later.\n- Implement rate limiting and connection concurrency limits at the reverse proxy or WAF layer.\n- Enforce process-level memory limits using containerization policies (e.g., cgroups, Kubernetes resource quotas).\n\n**Remediation Steps:**\n1. Modify the mix.exs file in the Elixir project to require bandit version >= 1.11.0.\n2. Execute `mix deps.get` and `mix deps.compile` to fetch and compile the updated dependency.\n3. Verify the update by inspecting the mix.lock file ensuring the bandit version reflects 1.11.0.\n4. Deploy the updated application build to staging, test HTTP/2 functionality, and proceed to production deployment.\n\n## References\n\n- [GitHub Advisory: GHSA-q6v9-r226-v65f](https://github.com/mtrudel/bandit/security/advisories/GHSA-q6v9-r226-v65f)\n- [Erlang Ecosystem Foundation CNA Advisory](https://cna.erlef.org/cves/CVE-2026-42788.html)\n- [OSV Record: EEF-CVE-2026-42788](https://osv.dev/vulnerability/EEF-CVE-2026-42788)\n- [CVE.org Record: CVE-2026-42788](https://www.cve.org/CVERecord?id=CVE-2026-42788)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42788) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-07T04:10:29.000000Z"}, {"uuid": "e694a220-f86f-452e-9e8e-c687083d5c35", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42786", "type": "seen", "source": "https://gist.github.com/alon710/7e14a0d3fcae150a08d7fce945893208", "content": "# CVE-2026-42786: CVE-2026-42786: Unbounded WebSocket Fragmented Message Reassembly Denial of Service in Bandit\n\n> **CVSS Score:** 8.7\n> **Published:** 2026-05-07\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42786\n\n## Summary\nAn unauthenticated remote denial of service vulnerability exists in the Bandit HTTP server due to unbounded resource allocation during WebSocket fragment reassembly. Attackers can trigger complete memory exhaustion by streaming continuous WebSocket frames without the finalization bit, causing the Erlang virtual machine to crash.\n\n## TL;DR\nBandit < 1.11.0 fails to limit cumulative size of fragmented WebSocket messages, allowing unauthenticated attackers to cause an Out-of-Memory (OOM) denial of service by sending infinite continuation frames.\n\n## Technical Details\n\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network (Unauthenticated)\n- **CVSS 4.0 Score**: 8.7 (High)\n- **EPSS Percentile**: 17.28%\n- **Primary Impact**: Denial of Service (OOM)\n- **Exploit Status**: None (Theoretical PoC)\n- **CISA KEV**: No\n\n## Affected Systems\n\n- Bandit HTTP Server (0.5.0 up to 1.11.0)\n- Phoenix Web Applications using vulnerable Bandit instances as the web server adapter\n- **bandit**: >= 0.5.0, < 1.11.0 (Fixed in: `1.11.0`)\n\n## Mitigation\n\n- Upgrade bandit package to version 1.11.0 or higher\n- Configure web application firewall (WAF) to inspect and limit abnormal WebSocket message continuation patterns\n- Implement connection rate limiting and maximum connection duration timeouts\n\n**Remediation Steps:**\n1. Update `mix.exs` to require `bandit` version `~> 1.11`\n2. Run `mix deps.get` and `mix deps.compile` to fetch and build the updated library\n3. If the application legitimately handles WebSocket messages larger than 8MB, configure `max_fragmented_message_size` in the Bandit endpoint configuration\n4. Deploy the application and monitor WebSocket connection metrics for unexpected termination errors (Code 1009)\n\n## References\n\n- [NVD - CVE-2026-42786](https://nvd.nist.gov/vuln/detail/CVE-2026-42786)\n- [GitHub Advisory GHSA-pf94-94m9-536p](https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p)\n- [EEF CVE-2026-42786](https://cna.erlef.org/cves/CVE-2026-42786.html)\n- [OSV EEF-CVE-2026-42786](https://osv.dev/vulnerability/EEF-CVE-2026-42786)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42786) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-07T05:40:29.000000Z"}, {"uuid": "303f3484-5603-495f-b35f-86e6617ff434", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-4278", "type": "seen", "source": "https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2026-4278", "content": "", "creation_timestamp": "2026-03-26T04:16:39.000000Z"}, {"uuid": "bb99cbb1-ae21-4518-898e-76e92a5be7ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42786", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116512528267704627", "content": "Some increased actor activities are shown targeting mtrudel bandit (CVE-2026-42786) https://vuldb.com/vuln/360789/cti", "creation_timestamp": "2026-05-03T20:28:12.507614Z"}]}