2429741 – (CVE-2026-22036) CVE-2026-22036 undici: Undici: Denial of Service via excessive decompression steps

Bug 2429741 (CVE-2026-22036) - CVE-2026-22036 undici: Undici: Denial of Service via excessive decompression steps

Summary: CVE-2026-22036 undici: Undici: Denial of Service via excessive decompression ...

Keywords:
Status:	NEW
Alias:	CVE-2026-22036
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2430293 2430294 2430295 2430296 2430297 2430298 2430299 2430300
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-14 20:01 UTC by OSIDB Bzimport
Modified:	2026-04-29 07:35 UTC (History)
CC List:	51 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-14 20:01:29 UTC

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.

Note You need to log in before you can comment on or make changes to this bug.

aazores
abarbaro
alcohan
alizardo
anjoseph
asoldano
bbaranow
bmaxwell
brian.stansberry
bstansbe
cmah
darran.lofthouse
dlofthou
dosoudil
eaguilar
ebaron
gparvin
istudens
ivassile
iweiss
jbalunas
jchui
jhe
jkoehler
jolong
jprabhak
ktsao
lphiri
manissin
mosmerov
msvehla
nboldt
nwallace
oaljalju
owatkins
pahickey
pberan
pesilva
pjindal
pmackay
psrna
rhaigner
rhel-process-autobot
rstancel
sdawley
smaestri
thjenkin
tom.jenkinson
vdosoudi
watson-tool-maintainers
wtam