ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.
CVE-2026-48779
This high-severity CVE scores 7.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.8%, top 48% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
A fix is available — apply it.
- CVSS v3
- 7.5
- EG Score
- 7.5(medium)
- EPSS
- 51.6%
- KEV
- Not listed
Published
June 15, 2026
Last Modified
July 6, 2026
Advisory Details (5)
Auto-updated Jun 17, 2026Memory exhaustion DoS from tiny fragments and data chunks · Advisory · websockets/ws · GitHub
https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4pcommit fd36cd864fcd (websockets/ws)
Patch available: websockets/ws 7.5.11 (contains commit fd36cd864fcd)
https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8commit bca91adf1567 (websockets/ws)
Patch available: websockets/ws 8.21.0 (contains commit bca91adf1567)
https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94commit b5372ac67bb9 (websockets/ws)
Patch available: websockets/ws 5.2.5 (contains commit b5372ac67bb9)
https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53commit 86d3e8a5fb02 (websockets/ws)
Patch available: websockets/ws 6.2.4 (contains commit 86d3e8a5fb02)
https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7Vendor Advisories for CVE-2026-48779(10)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2026:34342Red Hat Product SecurityCritical
Red Hat Security Advisory: Cluster Observability Operator 1.5.0
- CVE-2026-48779Microsoft Security Response Center (MSRC)High
ws: Memory exhaustion DoS from tiny fragments and data chunks
- RHSA-2026:33574Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Developer Hub 1.9.6 release.
- RHSA-2026:33183Red Hat Product SecurityHigh
Red Hat Security Advisory: Kiali 2.22.6 for Red Hat OpenShift Service Mesh 3.3
- RHSA-2026:33173Red Hat Product SecurityHigh
Red Hat Security Advisory: Kiali 2.17.10 for Red Hat OpenShift Service Mesh 3.2
- RHSA-2026:33163Red Hat Product SecurityHigh
Red Hat Security Advisory: Kiali 2.11.13 for Red Hat OpenShift Service Mesh 3.1
- RHSA-2026:33160Red Hat Product SecurityHigh
Red Hat Security Advisory: Kiali 2.4.19 for Red Hat OpenShift Service Mesh 3.0
- RHSA-2026:33155Red Hat Product SecurityHigh
Red Hat Security Advisory: Kiali 1.73.33 for Red Hat OpenShift Service Mesh 2.6
- +2 more
Patch Availability(8)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | cluster-observability-operator/troubleshooting-panel-console-plugin-rhel9:1782839494 | 2026-07-01 | redhat |
| redhat | rhdh/rhdh-hub-rhel9:1782761244 | 2026-06-30 | redhat |
| redhat | openshift-service-mesh/kiali-rhel9:1782201466 | 2026-06-29 | redhat |
| redhat | openshift-service-mesh/kiali-rhel8:1782287580 | 2026-06-29 | redhat |
| redhat | openshift-service-mesh/kiali-rhel9:1782201833 | 2026-06-29 | redhat |
| redhat | openshift-service-mesh/kiali-rhel9:1782201537 | 2026-06-29 | redhat |
| redhat | openshift-service-mesh/kiali-rhel9:1782201812 | 2026-06-29 | redhat |
| redhat | discovery/discovery-ui-rhel9:1782166952 | 2026-06-24 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
npm(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| ws | — | 8.21.0 | — |
Weakness Classification(3)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 34× in last 7d / 97× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-07 00:23 UTCEG score recompute
- 2026-07-07 00:23 UTCVendor advisory
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 21:49 UTCEG score recompute
- 2026-07-05 21:49 UTCVendor advisory
- 2026-07-05 10:43 UTCEG score recompute
- 2026-07-05 10:43 UTCVendor advisory
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 23:39 UTCEG score recompute
- 2026-07-04 23:39 UTCVendor advisory
- 2026-07-04 12:34 UTCEG score recompute
- 2026-07-04 12:34 UTCVendor advisory
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 01:23 UTCEG score recompute
- 2026-07-04 01:23 UTCVendor advisory
- 2026-07-03 14:17 UTCEG score recompute
- 2026-07-03 14:17 UTCVendor advisory
- 2026-07-03 00:40 UTCEG score recompute
- 2026-07-03 00:40 UTCVendor advisory
- 2026-07-02 13:29 UTCEG score recompute
- 2026-07-02 13:29 UTCVendor advisory
- 2026-07-02 02:00 UTCEG score recompute
- 2026-07-02 02:00 UTCVendor advisory
- 2026-07-01 15:07 UTCEPSS rescore
Show 72 moreShow fewer
- 2026-07-01 14:54 UTCEG score recompute
- 2026-07-01 14:54 UTCVendor advisory
- 2026-07-01 03:50 UTCEG score recompute
- 2026-07-01 03:50 UTCVendor advisory
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 16:46 UTCEG score recompute
- 2026-06-30 16:46 UTCVendor advisory
- 2026-06-30 05:41 UTCEG score recompute
- 2026-06-30 05:41 UTCVendor advisory
- 2026-06-29 18:34 UTCEG score recompute
- 2026-06-29 18:34 UTCVendor advisory
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 06:36 UTCEG score recompute
- 2026-06-29 06:36 UTCVendor advisory
- 2026-06-28 19:20 UTCEG score recompute
- 2026-06-28 19:20 UTCVendor advisory
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 08:16 UTCEG score recompute
- 2026-06-28 08:16 UTCVendor advisory
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-27 21:12 UTCEG score recompute
- 2026-06-27 21:12 UTCVendor advisory
- 2026-06-27 10:06 UTCEG score recompute
- 2026-06-27 10:06 UTCVendor advisory
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-26 23:02 UTCEG score recompute
- 2026-06-26 23:02 UTCVendor advisory
- 2026-06-26 11:58 UTCEG score recompute
- 2026-06-26 11:58 UTCVendor advisory
- 2026-06-25 22:49 UTCEG score recompute
- 2026-06-25 22:49 UTCVendor advisory
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-25 11:44 UTCEG score recompute
- 2026-06-25 11:44 UTCVendor advisory
- 2026-06-25 00:38 UTCEG score recompute
- 2026-06-25 00:38 UTCVendor advisory
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-24 13:33 UTCEG score recompute
- 2026-06-24 02:29 UTCEG score recompute
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-23 15:25 UTCEG score recompute
- 2026-06-23 04:20 UTCEG score recompute
- 2026-06-22 17:15 UTCEG score recompute
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 05:26 UTCEG score recompute
- 2026-06-21 18:22 UTCEG score recompute
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 06:37 UTCEG score recompute
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-20 19:31 UTCEG score recompute
- 2026-06-20 08:07 UTCEG score recompute
- 2026-06-19 21:00 UTCEG score recompute
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-19 09:55 UTCEG score recompute
- 2026-06-18 22:49 UTCEG score recompute
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 11:46 UTCEG score recompute
- 2026-06-18 00:42 UTCEG score recompute
- 2026-06-17 17:53 UTCEPSS rescore
- 2026-06-17 13:34 UTCEG score recompute
- 2026-06-17 02:30 UTCEG score recompute
- 2026-06-16 15:27 UTCEG score recompute
- 2026-06-16 04:22 UTCEG score recompute
- 2026-06-15 17:16 UTCEG score recompute
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-400
Frequently asked(5)
What is CVE-2026-48779?
When was CVE-2026-48779 disclosed?
Is CVE-2026-48779 actively exploited?
What is the CVSS score of CVE-2026-48779?
How do I remediate CVE-2026-48779?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-48779
Is Your Infrastructure Affected by CVE-2026-48779?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.