2489661 – (CVE-2026-48779) CVE-2026-48779 ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments

Bug 2489661 (CVE-2026-48779) - CVE-2026-48779 ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments

Summary: CVE-2026-48779 ws: ws: Denial of Service via memory exhaustion from small Web...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2026-48779
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2489664 2489665 2489666 2489668 2489672 2489673 2489674 2489675 2489677 2489679 2489680 2489681 2489682 2489684 2489688 2489689 2489691 2489692 2489693 2489695 2489696 2489697 2489667 2489669 2489671 2489676 2489678 2489683 2489685 2489686 2489687 2489690 2489694 2489698
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-16 22:01 UTC by OSIDB Bzimport
Modified:	2026-06-23 08:29 UTC (History)
CC List:	140 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2026-06-17 15:14:31 UTC
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-16 22:01:48 UTC

ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.

Comment 3 Michal Pospisil 2026-06-17 15:14:31 UTC

There is no impact of this CVE on pcs-web-ui installations in production. The vulnerable library (ws) is not included in the production bundle. It a transitive dependency of development tooling (react-scripts → jsdom). The application source code does not import ws.

Note You need to log in before you can comment on or make changes to this bug.

aazores
abarbaro
abrianik
abuckta
adudiak
alcohan
alizardo
anpicker
anthomas
anujha
aschwart
asoldano
aszczucz
ataylor
bbaranow
bbrownin
bdettelb
bmaxwell
boliveir
bparees
brasmith
bstansbe
cdrage
cmah
cochase
dbruscin
dkuc
dlofthou
doconnor
dranck
drichtar
dschmidt
dymurray
eaguilar
ebaron
eborisov
ehelms
erezende
fdeutsch
fmariani
ggainey
ggrzybek
gmalinko
gotiwari
gparvin
hasun
ibolton
istudens
ivassile
iweiss
janstey
jbalunas
jchui
jfula
jhe
jhorak
jkoehler
jlanda
jmatthew
jmontleo
jolong
jowilson
jraez
juwatts
jwong
jwon
kaycoth
kshier
ktsao
kvanderr
lball
lchilton
lphiri
manissin
mcarlett
mhulan
mosmerov
mposolda
mpospisi
mstipich
msvehla
mvyas
nboldt
ngough
nmoumoul
nwallace
nyancey
oaljalju
omaciel
ometelka
orabin
oramraz
osousa
pahickey
parichar
pcreech
pdelbell
pesilva
pgaikwad
pjindal
pmackay
psrna
ptisnovs
rchan
rexwhite
rhaigner
rhel-process-autobot
rjohnson
rmartinc
rstancel
rstepani
rushinde
sdawley
sfeifer
simaishi
slucidi
smallamp
smcdonal
smullick
sseago
ssilvert
stcannon
sthirugn
sthorger
stirabos
syedriko
tasato
tcunning
teagle
thason
thjenkin
tmalecek
ttakamiy
vdosoudi
veshanka
vmuzikar
watson-tool-maintainers
xdharmai
yfang
yguenane