2453284 – (CVE-2026-34043) CVE-2026-34043 serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization

Bug 2453284 (CVE-2026-34043) - CVE-2026-34043 serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization

Summary: CVE-2026-34043 serialize-javascript: serialize-javascript: Denial of Service ...

Keywords:
Status:	NEW
Alias:	CVE-2026-34043
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2453940 2453942 2453944 2453946 2453947 2453948 2453950 2453938 2453939 2453941 2453943 2453945 2453949
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-31 03:02 UTC by OSIDB Bzimport
Modified:	2026-05-27 09:38 UTC (History)
CC List:	104 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:21286	None	None	None	2026-05-27 08:43:52 UTC
Red Hat Product Errata	RHSA-2026:21291	None	None	None	2026-05-27 09:25:03 UTC
Red Hat Product Errata	RHSA-2026:21293	None	None	None	2026-05-27 09:38:51 UTC

Description OSIDB Bzimport 2026-03-31 03:02:30 UTC

Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.

Comment 2 errata-xmlrpc 2026-05-27 08:43:46 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:21286 https://access.redhat.com/errata/RHSA-2026:21286

Comment 3 errata-xmlrpc 2026-05-27 09:24:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:21291 https://access.redhat.com/errata/RHSA-2026:21291

Comment 4 errata-xmlrpc 2026-05-27 09:38:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:21293 https://access.redhat.com/errata/RHSA-2026:21293

Note You need to log in before you can comment on or make changes to this bug.

aazores
abrianik
adudiak
akostadi
alcohan
amasferr
anjoseph
anthomas
aschwart
asoldano
ataylor
bbaranow
bdettelb
bmaxwell
boliveir
bstansbe
caswilli
chfoley
cmah
dbruscin
dhanak
dlofthou
dmayorov
doconnor
drosa
dschmidt
eaguilar
ebaron
ehelms
erezende
ewittman
fdeutsch
ggainey
ggrzybek
gmalinko
gparvin
ibek
istudens
ivassile
iweiss
janstey
jbalunas
jlanda
jlledo
jolong
jprabhak
jrokos
juwatts
jwong
kaycoth
kshier
kvanderr
lchilton
manissin
mhulan
mnovotny
mosmerov
mposolda
msvehla
nipatil
nmoumoul
nwallace
omaciel
oramraz
osousa
pahickey
pantinor
parichar
pberan
pcreech
pdelbell
pesilva
pjindal
pmackay
rchan
rgodfrey
rhaigner
rkubis
rmartinc
rstancel
rstepani
sausingh
sfeifer
simaishi
smaestri
smallamp
smcdonal
smullick
ssilvert
stcannon
sthorger
stirabos
swoodman
tasato
teagle
thason
thjenkin
tmalecek
tsedmik
ttakamiy
vdosoudi
vmuzikar
wtam
yguenane