Bug 2489661 (CVE-2026-48779)
| Summary: | CVE-2026-48779 ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aazores, abarbaro, abrianik, abuckta, adudiak, alcohan, alizardo, anpicker, anthomas, anujha, aschwart, asoldano, aszczucz, ataylor, bbaranow, bbrownin, bdettelb, bmaxwell, boliveir, bparees, brasmith, bstansbe, cdrage, cmah, cochase, dbruscin, dkeler, dkuc, dlofthou, doconnor, dranck, drichtar, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehelms, ehugonne, erezende, fdeutsch, fmariani, ggainey, ggrzybek, gmalinko, gotiwari, gparvin, hasun, ibolton, istudens, ivassile, iweiss, janstey, jbalunas, jchui, jfula, jhe, jhorak, jkoehler, jlanda, jmatthew, jmontleo, jolong, jowilson, jpasqual, jraez, juwatts, jwong, jwon, kaycoth, kshier, ktsao, kvanderr, lball, lchilton, lphiri, manissin, mcarlett, mhulan, mosmerov, mposolda, mpospisi, mstipich, msvehla, mvyas, nboldt, ngough, nmoumoul, nwallace, nyancey, oaljalju, omaciel, ometelka, orabin, oramraz, osousa, pahickey, parichar, pberan, pcreech, pdelbell, pesilva, pgaikwad, pjindal, pmackay, psrna, ptisnovs, rchan, rexwhite, rhaigner, rhel-process-autobot, rjohnson, rmartinc, rstancel, rstepani, rushinde, sdawley, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, ssilvert, stcannon, sthirugn, sthorger, stirabos, suppawar, syedriko, tasato, tcunning, teagle, thason, thjenkin, tmalecek, ttakamiy, vdosoudi, veshanka, vmuzikar, watson-tool-maintainers, xdharmai, yfang, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2026-06-17 15:14:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2489664, 2489665, 2489666, 2489668, 2489672, 2489673, 2489674, 2489675, 2489677, 2489679, 2489681, 2489682, 2489684, 2489688, 2489689, 2489691, 2489692, 2489693, 2489695, 2489696, 2489697, 2489667, 2489669, 2489671, 2489676, 2489678, 2489680, 2489683, 2489685, 2489686, 2489687, 2489690, 2489694, 2489698 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-06-16 22:01:48 UTC
There is no impact of this CVE on pcs-web-ui installations in production. The vulnerable library (ws) is not included in the production bundle. It a transitive dependency of development tooling (react-scripts → jsdom). The application source code does not import ws. |