CVE-2026-48779: ws: Memory exhaustion DoS from tiny fragments and data chunks
A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM.
References
- github.com/advisories/GHSA-96hv-2xvq-fx4p
- github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7
- github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53
- github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94
- github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8
- github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p
- nvd.nist.gov/vuln/detail/CVE-2026-48779
Code Behaviors & Features
Detect and mitigate CVE-2026-48779 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →