CVE-2026-42788 - Bandit HTTP/2 Frame Size Limit Bypass via Late Buffer Check Enables Memory Exhau
CVE-2026-42788 - Bandit HTTP/2 Frame Size Limit Bypass via Late Buffer Check Enables Memory Exhau
GHSA-q6v9-r226-v65f MEDIUM erlang/bandit
CVE: CVE-2026-42788
Summary
Bandit's HTTP/2 parser checks frame size *after* it has already buffered the full body, instead of when it sees the 9-byte header. A peer can announce a 16 MiB frame on a connection that agreed to 16 KiB frames and the server will silently buffer up to 1024× the agreed budget per connection. Across many connections this becomes a memory-pressure DoS. Severity: medium.
Details
In lib/bandit/http2/frame.ex:23-65, every clause that could detect an oversized frame requires payload::binary-size(length) to match — meaning the body has to be fully in memory before the size guard runs. Until then the parser returns {:more, msg} and the connection layer keeps reading. So the cap fires only after the violation is complete.
The frame type and stream id don't matter; the parser never gets that far.
PoC
The script is at the end. It:
1. Opens an h2c connection to a Bandit server it starts itself.
2. Sends a 9-byte frame header announcing length = 0xFFFFFF (~16 MiB).
3. Polls for GOAWAY(FRAME_SIZE_ERROR). If silent, drips body bytes in 64 KiB chunks.
A patched server sends GOAWAY on the header alone. A vulnerable server stays silent and keeps accepting bytes.
Suggested fix
Add a header-only clause that rejects on the length field alone, e.g. def deserialize(<<length::24, _::binary>> = msg, max_frame_size) when length > max_frame_size, do: {{:error, frame_size_error(), "..."}, drop_frame_or_close(msg)}, placed before the body-bearing clauses so the size check runs as soon as the 9-byte header is in hand rather than after the body has been buffered.
Impact
Any Bandit server speaking HTTP/2 (h2 or h2c). No authentication or specific route needed — the bug is in the framing layer, before any Plug runs. An attacker holding a few thousand concurrent connections can pin tens of GiB of buffer memory, far beyond what the negotiated max_frame_size should allow. No code execution, no data disclosure — pure resource exhaustion.
Fix: add a
📌 来源: GitHub-Advisory | 🆔 CVE-2026-42788 | 📅 2026-05-07