cvedb.io
CVE-2022-35922
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2022-08-01T22:15:10.460 · Last modified 2026-06-17T04:52:31.603

Summary

Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would allocate a buffer based on the declared dataframe size, which may come from an untrusted source. When `Vec::with_capacity` fails to allocate, the default Rust allocator will abort the current process, killing all threads. This affects only sync (non-Tokio) implementation. Async version also does not limit memory, but does not use `with_capacity`, so DoS can happen only when bytes for oversized dataframe or message actually got delivered by the attacker. The crashes are fixed in version 0.26.5 by imposing default data

Affected products

rust-websocket_project — rust-websocket

Does this affect you?

Add your gear to cvedb and we'll alert you only when rust-websocket_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.