PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39803 mtrudel CVE debrief

CVE-2026-39803 is an unauthenticated remote denial-of-service issue in mtrudel Bandit. A chunked HTTP/1 request body can bypass the intended request-size limit, causing Bandit to buffer the full body and potentially exhaust memory before a 413 response can be issued.

Vendor
mtrudel
Product
bandit
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-05-21
Advisory published
2026-05-13
Advisory updated
2026-05-21

Who should care

Operators and developers running Elixir/Phoenix applications that use Bandit for HTTP/1 request handling, especially deployments relying on Plug.Parsers size limits to protect against oversized request bodies.

Technical summary

The vulnerable path is the chunked branch of Elixir.Bandit.HTTP1.Socket:read_data/2 in lib/bandit/http1/socket.ex. According to the advisory, do_read_chunked_data!/5 ignores the caller-supplied :length option and accumulates all received chunks into an iolist before materializing the entire request body as one binary. Because the function always returns {:ok, body, ...}, callers cannot stop processing early with a 413 response. The content-length path in the same function correctly enforces the limit and is not affected. The issue affects Bandit from 1.4.0 before 1.11.1.

Defensive priority

High. This is a network-reachable, unauthenticated denial of service that can terminate the BEAM process through memory exhaustion. Because Plug.Parsers runs before routing and authentication in the standard Phoenix endpoint, the attack can be triggered without a valid route or credentials.

Recommended defensive actions

  • Upgrade Bandit to 1.11.1 or later.
  • Verify deployed Phoenix/Elixir services are not pinned to affected Bandit versions (1.4.0 through 1.11.0).
  • Review any reverse-proxy or edge controls for request-body limits, but treat application patching as the primary fix.
  • Monitor for process crashes, OOM-killer events, and sudden memory growth tied to chunked uploads.
  • Confirm that application testing includes oversized Transfer-Encoding: chunked requests against exposed endpoints after patching.

Evidence notes

The supplied CVE record states an allocation-of-resources-without-limits issue leading to memory exhaustion and identifies Bandit versions 1.4.0 before 1.11.1 as affected. The NVD record references the ERLEF CNA advisory, the Bandit patch commit, the GitHub security advisory, and OSV, all of which align on the affected component and fix range. Published date is 2026-05-13T14:17:32.633Z and modified date is 2026-05-21T15:23:12.223Z per the supplied timeline. No KEV entry is provided in the supplied data.

Official resources

Publicly disclosed on 2026-05-13T14:17:32.633Z and last modified on 2026-05-21T15:23:12.223Z, per the supplied CVE timeline. No KEV date was provided in the supplied corpus.