PatchSiren cyber security CVE debrief

CVE-2026-39806 mtrudel CVE debrief

CVE-2026-39806 is a high-severity denial-of-service issue in mtrudel Bandit. A flaw in chunked request parsing can leave a worker process stuck in a loop when a valid chunked body includes trailer fields, allowing unauthenticated remote attackers to consume workers until the server stops responding. The issue is fixed in Bandit 1.11.1.

Vendor: mtrudel
Product: bandit
CVSS: HIGH 8.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-13
Original CVE updated: 2026-05-21
Advisory published: 2026-05-13
Advisory updated: 2026-05-21

Who should care

Operators running Bandit 1.6.1 through 1.11.0, especially services exposed to the internet or sitting behind reverse proxies that may forward chunked requests with trailer fields. SRE, platform, and Elixir application teams should prioritize this if Bandit worker exhaustion would impact availability.

Technical summary

The affected logic is in Elixir.Bandit.HTTP1.Socket:do_read_chunked_data!/5. Per the supplied advisory, the function only terminates when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 allows zero or more trailer fields between those markers. When trailers are present, the existing match clauses do not complete the parse: the fallback path computes a negative to_read value, calls read_available!/2, receives an empty read on timeout, and then recurses without making progress. The result is a pinned worker process for the lifetime of that TCP connection. A small number of concurrent requests can exhaust the Bandit worker pool and cause a broad denial of service.

Defensive priority

High. This is an unauthenticated network DoS with low attack complexity and direct availability impact. Because only a few concurrent connections are needed, exposed services should treat this as an urgent patch-and-verify item.

Recommended defensive actions

Upgrade Bandit to 1.11.1 or later.
Confirm deployed services are not pinned to affected versions through transitive dependencies or lockfiles.
Review any reverse proxies or ingress paths that may forward chunked requests with trailer fields.
Monitor for worker pool saturation, stalled connections, and elevated request timeouts until remediation is complete.
Validate the fix in staging with representative traffic patterns that include legitimate trailer-bearing requests.

Evidence notes

The affected version range and fix target come from the supplied NVD record and linked advisory data: Bandit is vulnerable from 1.6.1 before 1.11.1. The technical failure mode is described in the CVE text and aligns with the advisory reference and patch commit. The CVSS vector supplied by NVD indicates network reachability, no privileges, no user interaction, and availability impact only. PublishedAt for the CVE is 2026-05-13T14:17:35.700Z; modifiedAt is 2026-05-21T15:23:08.653Z.

Official resources

CVE-2026-39806 CVE record
CVE.org
CVE-2026-39806 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Third Party Advisory
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Patch
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Exploit, Vendor Advisory
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Third Party Advisory

Publicly disclosed on 2026-05-13T14:17:35.700Z; NVD record last modified on 2026-05-21T15:23:08.653Z. Fixed in Bandit 1.11.1.