CVE-2026-39806
Published: 13 May 2026
Summary
CVE-2026-39806 is a high-severity Infinite Loop (CWE-835) vulnerability in Mtrudel Bandit. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 46.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2026-39806 is an infinite-loop vulnerability (CWE-835) in the Bandit web server for Elixir. The flaw resides in Elixir.Bandit.HTTP1.Socket:do_read_chunked_data!/5, which only exits the read loop when a final chunk (0\r\n) is immediately followed by an empty trailer line (\r\n). Because RFC 9112 permits zero or more trailer fields between these lines, any request containing trailers causes the catch-all clause to compute a negative read length, receive an empty result on timeout, and tail-recurse indefinitely, pinning the worker process for the life of the TCP connection. The issue affects all Bandit releases from 1.6.1 through 1.11.0.
An unauthenticated remote attacker can exhaust the worker pool—and thereby render the entire server unresponsive—by opening a handful of concurrent connections that each send a standards-conformant chunked request containing trailer fields. No authentication, special headers, or large payloads are required. Because intermediaries such as NGINX and HAProxy forward such requests unchanged, servers behind these proxies can be affected even when the direct client is not malicious.
The official Erlang Ecosystem Foundation advisory and the Bandit security advisory GHSA-rf5q-vwxw-gmrf both recommend upgrading to version 1.11.1 or later; the corresponding fix is contained in commit ae3520dfdbfab115c638f8c7f6f6b805db34e1ab. The associated EPSS scores remain low (current 0.0105, peak 0.0106) with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-29951
Vulnerability details
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n.…
more
RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection. A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement. This issue affects bandit: from 1.6.1 before 1.11.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Infinite loop in HTTP chunked trailer parsing directly enables remote unauthenticated application-layer DoS via worker exhaustion (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.