{
  "threat_severity" : "Important",
  "public_date" : "2026-03-25T19:55:28Z",
  "bugzilla" : {
    "description" : "github.com/nats-io/nats-server: NATS-Server: Denial of Service via unbounded memory use in WebSockets",
    "id" : "2451445",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451445"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-770",
  "details" : [ "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.", "A flaw was found in NATS-Server. A malicious client connecting to the WebSockets port can cause unbounded memory use before authentication by sending a large amount of data. This resource exhaustion vulnerability can lead to a Denial of Service (DoS) for the server, making it unavailable to legitimate users." ],
  "package_state" : [ {
    "product_name" : "Multicluster Global Hub",
    "fix_state" : "Not affected",
    "package_name" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/oc-mirror-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33219\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33219\nhttps://advisories.nats.io/CVE/secnote-2026-02.txt\nhttps://advisories.nats.io/CVE/secnote-2026-11.txt\nhttps://github.com/advisories/GHSA-qrvq-68c2-7grw\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j" ],
  "name" : "CVE-2026-33219",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}