Bug 2490006 (CVE-2026-6733) - CVE-2026-6733 undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
Summary: CVE-2026-6733 undici: Undici: Response queue poisoning on reused keep-alive s...
Keywords:
Status: NEW
Alias: CVE-2026-6733
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2490212 2490213 2490214 2490215
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-17 19:02 UTC by OSIDB Bzimport
Modified: 2026-06-17 23:16 UTC (History)
35 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-17 19:02:40 UTC 
Impact:
Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.

This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.

Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.

Workarounds:
Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.
Note You need to log in before you can comment on or make changes to this bug.