CVE-2026-3449

medium

Red Hat

CVSS v3 Base Score

4.0

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Published: March 3, 2026

Last Modified: March 3, 2026

Vendor: Red Hat

Description

Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.

CWE

CWE-1322

Affected Products

Confidential Compute AttestationCryostat 4Migration Toolkit for ContainersNetwork Observability OperatorOpenShift PipelinesOpenShift Service Mesh 2OpenShift Service Mesh 3Red Hat Advanced Cluster Management for Kubernetes 2Red Hat AMQ Broker 7Red Hat Ansible Automation Platform 2

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 github.com

CVE-2026-3449

Vulnerability Report

Description

CWE

Affected Products

References