Lucene search
K

126 matches found

RedHat Linux
RedHat Linux
added 2026/07/06 4:52 a.m.7 views

undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion,...

7.5CVSS7AI score0.00759EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/06/20 12:0 a.m.16 views

Linux Distros Unpatched Vulnerability : CVE-2026-12151

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of...

7.5CVSS7.1AI score0.00759EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/18 12:14 a.m.13 views

CVE-2026-12151

A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion,...

7.5CVSS4.9AI score0.00759EPSS
Exploits0References5
NVD
NVD
added 2026/06/17 5:17 p.m.14 views

CVE-2026-9675

Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causin...

7.5CVSS0.00426EPSS
Exploits0References2
OSV
OSV
added 2026/06/17 5:17 p.m.4 views

UBUNTU-CVE-2026-9675

Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causin...

7.5CVSS6.4AI score0.00426EPSS
Exploits0References3
OSV
OSV
added 2026/06/17 5:16 p.m.13 views

UBUNTU-CVE-2026-12151

Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size...

7.5CVSS5.9AI score0.00759EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/17 4:20 p.m.27 views

CVE-2026-9675 undici WebSocket client vulnerable to denial of service via cumulative fragment bypass

Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causin...

7.5CVSS0.00426EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/17 4:5 p.m.34 views

CVE-2026-12151 undici WebSocket client vulnerable to denial of service via fragment count bypass

Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size...

7.5CVSS0.00759EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2026/06/17 4:5 p.m.7 views

CVE-2026-12151

Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size...

7.5CVSS5.3AI score0.00759EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/06/17 4:5 p.m.9 views

CVE-2026-12151 undici WebSocket client vulnerable to denial of service via fragment count bypass

Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size...

7.5CVSS5.3AI score0.00759EPSS
Exploits0References2
OSV
OSV
added 2026/06/17 4:5 p.m.3 views

CVE-2026-12151 undici WebSocket client vulnerable to denial of service via fragment count bypass

Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size...

7.5CVSS7.1AI score0.00759EPSS
Exploits0References16
OSV
OSV
added 2026/06/17 1:20 p.m.6 views

UBUNTU-CVE-2026-48779

ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to but not including 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally...

7.5CVSS5.7AI score0.00782EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.20 views

PT-2026-50456

Name of the Vulnerable Software and Affected Versions undici versions 6.17.0 through 6.25.x undici versions 7.0.0 through 7.27.x undici versions 8.0.0 through 8.4.x Description The WebSocket client fails to limit the number of fragments in a message, only enforcing the maxPayloadSize on the...

7.5CVSS5.3AI score0.00759EPSS
Exploits0References136
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/11 12:19 a.m.14 views

Malicious code in hex-type (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7d0271fe97ea66e9ff2ba3a0ea225364324f28138af32c337d6ed8b2b99e5ad Package metadata description "A universally-unique, lexicographically-sortable, identifier generator", homepage github.com/ulid/javascript, build...

5.5AI score
Exploits0References2
OSV
OSV
added 2026/06/11 12:19 a.m.11 views

MAL-2026-5538 Malicious code in hex-type (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7d0271fe97ea66e9ff2ba3a0ea225364324f28138af32c337d6ed8b2b99e5ad Package metadata description "A universally-unique, lexicographically-sortable, identifier generator", homepage github.com/ulid/javascript, build...

5.5AI score
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/26 8:14 p.m.11 views

CVE-2026-47073

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackneyws.erl imposes no upper bound on memory consumption in three code paths. First, readhandshakeresponse/3 accumulates received bytes into a growing buffer with n...

8.7CVSS5.9AI score0.00825EPSS
Exploits1References1
NVD
NVD
added 2026/05/25 3:16 p.m.21 views

CVE-2026-47073

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackneyws.erl imposes no upper bound on memory consumption in three code paths. First, readhandshakeresponse/3 accumulates received bytes into a growing buffer with n...

8.7CVSS0.00825EPSS
Exploits1References4
CVE
CVE
added 2026/05/25 2:0 p.m.36 views

CVE-2026-47073

CVE-2026-47073 affects hackney WebSocket client (src/hackney_ws.erl) causing unbounded memory growth via three paths: read_handshake_response/3 accumulates an unbounded buffer due to lack of size cap; parse_payload/9 and parse_active_payload/8 do not enforce a maximum frame payload length; and fr...

8.7CVSS5.9AI score0.00825EPSS
Exploits1References4Affected Software1
CNNVD
CNNVD
added 2026/05/25 12:0 a.m.10 views

Hackney 安全漏洞

Hackney is a program library from Hackney, Inc. A security vulnerability exists in Hackney versions prior to 2.0.0 through 4.0.1, which stems from a WebSocket client that does not set an upper limit on memory consumption, potentially leading to resource exhaustion...

8.7CVSS5.8AI score0.00825EPSS
Exploits1References5
Debian CVE
Debian CVE
added 2026/05/15 2:53 p.m.11 views

CVE-2026-45736

ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1...

7.5CVSS5.8AI score0.00745EPSS
Exploits1
Rows per page
Query Builder