Bug 2447140 (CVE-2026-2581)
| Summary: | CVE-2026-2581 undici: Undici: Denial of Service due to uncontrolled resource consumption | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aazores, abarbaro, alizardo, anpicker, anujha, asoldano, bbaranow, bmaxwell, bparees, brian.stansberry, bstansbe, cmah, darran.lofthouse, dlofthou, dosoudil, dschmidt, eaguilar, ebaron, erezende, fjuma, hasun, istudens, ivassile, iweiss, jchui, jfula, jhe, jkoehler, jlanda, jolong, jowilson, kshier, ktsao, lphiri, mosmerov, msvehla, nboldt, nwallace, nyancey, oaljalju, ometelka, pberan, pesilva, pjindal, pmackay, psrna, ptisnovs, rhel-process-autobot, rstancel, sdawley, simaishi, smaestri, smcdonal, stcannon, syedriko, teagle, thjenkin, tom.jenkinson, vdosoudi, watson-tool-maintainers, xdharmai, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Undici. When the `interceptors.deduplicate()` feature is enabled, response data for deduplicated requests can accumulate in memory. A remote attacker, by sending large or chunked responses and concurrent identical requests from an untrusted endpoint, can exploit this uncontrolled resource consumption. This leads to high memory usage and potential Out-Of-Memory (OOM) process termination, resulting in a Denial of Service (DoS) for the application.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2447171, 2447173, 2447177, 2447180 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-03-12 21:01:33 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:7350 https://access.redhat.com/errata/RHSA-2026:7350 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:7675 https://access.redhat.com/errata/RHSA-2026:7675 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:7670 https://access.redhat.com/errata/RHSA-2026:7670 |