CVE-2026-3449

medium

Red Hat

CVSS v3 Base Score

4.0

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Score

0.0%

Exploitation probability in 30 days

Top 98% most likely to be exploited

Attack Characteristics

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Confidentiality

None

Integrity

None

Availability

Low

Published: March 3, 2026 (72 days ago)

Last Modified: March 3, 2026

Vendor: Red Hat

Description

Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.

CWE

CWE-1322

Affected Products

Confidential Compute AttestationCryostat 4Migration Toolkit for ContainersNetwork Observability OperatorOpenShift PipelinesOpenShift Service Mesh 2OpenShift Service Mesh 3Red Hat Advanced Cluster Management for Kubernetes 2Red Hat AMQ Broker 7Red Hat Ansible Automation Platform 2

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 github.com

CVE-2026-3449

Vulnerability Report

Description

CWE

Affected Products

References