Cyber Resilience

CVE-2026-39806

HighPublic PoCDDoS

Published: 13 May 2026

Published
13 May 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0064 46.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-39806 is a high-severity Infinite Loop (CWE-835) vulnerability in Mtrudel Bandit. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 46.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2026-39806 is an infinite-loop vulnerability (CWE-835) in the Bandit web server for Elixir. The flaw resides in Elixir.Bandit.HTTP1.Socket:do_read_chunked_data!/5, which only exits the read loop when a final chunk (0\r\n) is immediately followed by an empty trailer line (\r\n). Because RFC 9112 permits zero or more trailer fields between these lines, any request containing trailers causes the catch-all clause to compute a negative read length, receive an empty result on timeout, and tail-recurse indefinitely, pinning the worker process for the life of the TCP connection. The issue affects all Bandit releases from 1.6.1 through 1.11.0.

An unauthenticated remote attacker can exhaust the worker pool—and thereby render the entire server unresponsive—by opening a handful of concurrent connections that each send a standards-conformant chunked request containing trailer fields. No authentication, special headers, or large payloads are required. Because intermediaries such as NGINX and HAProxy forward such requests unchanged, servers behind these proxies can be affected even when the direct client is not malicious.

The official Erlang Ecosystem Foundation advisory and the Bandit security advisory GHSA-rf5q-vwxw-gmrf both recommend upgrading to version 1.11.1 or later; the corresponding fix is contained in commit ae3520dfdbfab115c638f8c7f6f6b805db34e1ab. The associated EPSS scores remain low (current 0.0105, peak 0.0106) with no material increase after disclosure.

EU & UK References

Vulnerability details

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n.…

more

RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection. A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement. This issue affects bandit: from 1.6.1 before 1.11.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Infinite loop in HTTP chunked trailer parsing directly enables remote unauthenticated application-layer DoS via worker exhaustion (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39803Same product: Mtrudel Bandit
CVE-2026-31448Shared CWE-835
CVE-2026-23451Shared CWE-835
CVE-2026-29975Shared CWE-835
CVE-2026-42899Shared CWE-835
CVE-2026-2219Shared CWE-835
CVE-2024-40675Shared CWE-835
CVE-2026-32287Shared CWE-835
CVE-2026-21507Shared CWE-835
CVE-2026-26283Shared CWE-835

Affected Assets

mtrudel
bandit
1.6.1 — 1.11.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-835

Enables transfer to alternate site if an infinite loop at the primary renders processing unavailable.

addresses: CWE-835

Detects and mitigates infinite loops that produce sustained resource consumption.

References