CVE-2026-22036

low

Red Hat

CVSS v3 Base Score

3.7

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Score

0.0%

Exploitation probability in 30 days

Top 95% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Confidentiality

None

Integrity

None

Availability

Low

Published: January 14, 2026 (120 days ago)

Last Modified: January 14, 2026

Vendor: Red Hat

Description

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.

CWE

CWE-770

Affected Products

Cryostat 4OpenShift PipelinesRed Hat Advanced Cluster Management for Kubernetes 2Red Hat Developer HubRed Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 9Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat OpenShift AI (RHOAI)

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 github.com

CVE-2026-22036

Vulnerability Report

Description

CWE

Affected Products

References