CVE Vulnerabilities

CVE-2026-45736

Use of Uninitialized Resource

Published: May 15, 2026 | Modified: Jul 02, 2026
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

Weakness

The product uses or accesses a resource that has not been initialized.

Affected Software

NameVendorStart VersionEnd Version
WsWs_project8.0.0 (including)8.20.1 (excluding)
Red Hat Ansible Automation Platform 2.6RedHatansible-automation-platform-26/gateway-rhel9:1782761510*
Red Hat Developer Hub 1.9RedHatrhdh/rhdh-hub-rhel9:1782761244*
Red Hat Discovery 2RedHatdiscovery/discovery-ui-rhel9:1782166952*
Red Hat Hardened ImagesRedHatdotnet10-0-main-10.0.109-1.hum1*
Red Hat Hardened ImagesRedHatdotnet8-0-main-8.0.128-1.hum1*
Red Hat Hardened ImagesRedHatdotnet9-0-main-9.0.118-1.hum1*
Red Hat Hardened ImagesRedHatyarnpkg-main-1.22.22-18.1.hum1*
Node-wsUbuntuupstream*

Potential Mitigations

References