CVE-2026-2229

high

Red Hat

CVSS v3 Base Score

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.1%

Exploitation probability in 30 days

Top 80% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Confidentiality

None

Integrity

None

Availability

High

Published: March 12, 2026 (62 days ago)

Last Modified: March 12, 2026

Vendor: Red Hat

Source: REDHAT

Description

A flaw was found in the undici WebSocket client. A remote malicious server can exploit this vulnerability by sending a WebSocket frame with an invalid `server_max_window_bits` parameter within the permessage-deflate extension. This improper validation causes the client's Node.js process to terminate, leading to a denial-of-service (DoS) condition for the client.

CWE

CWE-248

Affected Products

Cryostat 4OpenShift LightspeedOpenShift PipelinesRed Hat Developer HubRed Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 9Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat OpenShift AI (RHOAI)

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 cna.openjsf.org 🔗 datatracker.ietf.org

CVE-2026-2229

Vulnerability Report

Description

CWE

Affected Products

References