CVE-2026-27889: NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead

An unauthenticated remote attacker can crash the entire nats-server process by sending a single malicious WebSocket frame (15 bytes after the HTTP upgrade handshake). The server fails to validate the RFC 6455 §5.2 requirement that the most significant bit of a 64-bit extended payload length must be zero. The resulting uint64 → int conversion produces a negative value, which bypasses the bounds clamp and triggers an unrecovered panic in the connection’s goroutine — killing the entire server process and disconnecting all clients. This affects all platforms (64-bit and 32-bit).