Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2026-2229

Uncaught Exception

Published: Mar 12, 2026 | Modified: Mar 20, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-2229
CWEhttps://cwe.mitre.org/data/definitions/248.html

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlibs valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.

The vulnerability exists because:

  • The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
  • The createInflateRaw() call is not wrapped in a try-catch block
  • The resulting exception propagates up through the call stack and crashes the Node.js process

Weakness

An exception is thrown from a function, but it is not caught.

Affected Software

NameVendorStart VersionEnd Version
UndiciNodejs*6.24.0 (excluding)
UndiciNodejs7.0.0 (including)7.24.0 (excluding)
Cryostat 4 on RHEL 9RedHatcryostat/cryostat-openshift-console-plugin-rhel9:4.2.0-9*
Cryostat 4 on RHEL 9RedHatcryostat/cryostat-rhel9:4.2.0-9*
Red Hat Enterprise Linux 10RedHatnodejs22-1:22.22.2-1.el10_1*
Red Hat Enterprise Linux 10RedHatnodejs24-1:24.14.1-2.el10_1*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatnodejs22-1:22.22.2-2.el10_0*
Red Hat Enterprise Linux 8RedHatnodejs:22-8100020260331102257.6d880403*
Red Hat Enterprise Linux 8RedHatnodejs:24-8100020260408131901.6d880403*
Red Hat Enterprise Linux 9RedHatnodejs:22-9070020260401095228.rhel9*
Red Hat Enterprise Linux 9RedHatnodejs:24-9070020260402152654.rhel9*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatnodejs:22-9060020260409121057.rhel9*
Red Hat Developer Hub 1.8RedHatrhdh/rhdh-hub-rhel9:1776784286*
Red Hat Developer Hub 1.9RedHatrhdh/rhdh-hub-rhel9:1777903262*
Red Hat OpenShift AI 2.16RedHatrhoai/odh-dashboard-rhel8:1774282136*
Red Hat OpenShift Dev Spaces 3.28RedHatdevspaces/code-rhel9:1779814592*
Red Hat OpenShift Pipelines 1.2RedHatopenshift-pipelines/pipelines-console-plugin-rhel9:1779910201*

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use