2449789 – (CVE-2026-33151) CVE-2026-33151 socket.io: Socket.IO: Denial of Service due to excessive buffering of specially crafted packets

Bug 2449789 (CVE-2026-33151) - CVE-2026-33151 socket.io: Socket.IO: Denial of Service due to excessive buffering of specially crafted packets

Summary: CVE-2026-33151 socket.io: Socket.IO: Denial of Service due to excessive buffe...

Keywords:
Status:	NEW
Alias:	CVE-2026-33151
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2450265 2450267 2450268 2450270 2450272 2450266 2450269 2450271
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-20 21:02 UTC by OSIDB Bzimport
Modified:	2026-03-23 09:21 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-20 21:02:59 UTC

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.

Note You need to log in before you can comment on or make changes to this bug.