CVE-2026-2229

high

Red Hat

CVSS v3 Base Score

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published: March 12, 2026

Last Modified: March 12, 2026

Vendor: Red Hat

Source: REDHAT

Description

A flaw was found in the undici WebSocket client. A remote malicious server can exploit this vulnerability by sending a WebSocket frame with an invalid `server_max_window_bits` parameter within the permessage-deflate extension. This improper validation causes the client's Node.js process to terminate, leading to a denial-of-service (DoS) condition for the client.

CWE

CWE-248

Affected Products

Cryostat 4OpenShift LightspeedOpenShift PipelinesRed Hat Developer HubRed Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 9Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat OpenShift AI (RHOAI)

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 cna.openjsf.org 🔗 datatracker.ietf.org

CVE-2026-2229

Vulnerability Report

Description

CWE

Affected Products

References