{"id":"UBUNTU-CVE-2026-2229","details":"ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because:   *  The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15   *  The createInflateRaw() call is not wrapped in a try-catch block   *  The resulting exception propagates up through the call stack and crashes the Node.js process","modified":"2026-03-19T08:28:07.414030Z","published":"2026-03-12T21:16:00Z","upstream":["CVE-2026-2229"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-2229"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2026-2229"}],"affected":[{"package":{"name":"node-undici","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/node-undici@5.26.3+dfsg1+~cs23.10.12-2?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["5.22.1+dfsg1+~cs20.10.10.2-1ubuntu1","5.26.3+dfsg1+~cs23.10.12-2"],"ecosystem_specific":{"binaries":[{"binary_name":"node-llhttp","binary_version":"9.1.3~5.26.3+dfsg1+~cs23.10.12-2"},{"binary_name":"node-undici","binary_version":"5.26.3+dfsg1+~cs23.10.12-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2229.json"}},{"package":{"name":"node-undici","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/node-undici@7.3.0+dfsg1+~cs24.12.11-2?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["7.3.0+dfsg1+~cs24.12.11-1","7.3.0+dfsg1+~cs24.12.11-2"],"ecosystem_specific":{"binaries":[{"binary_name":"libllhttp-dev","binary_version":"9.2.1~7.3.0+dfsg1+~cs24.12.11-2"},{"binary_name":"libllhttp9.2","binary_version":"9.2.1~7.3.0+dfsg1+~cs24.12.11-2"},{"binary_name":"node-llhttp","binary_version":"9.2.1~7.3.0+dfsg1+~cs24.12.11-2"},{"binary_name":"node-undici","binary_version":"7.3.0+dfsg1+~cs24.12.11-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2229.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}