CVE-2022-35922 – Memory allocation based on untrusted length in rust-websocket

https://notcve.org/view.php?id=CVE-2022-35922

Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would allocate a buffer based on the declared dataframe size, which may come from an untrusted source. When `Vec::with_capacity` fails to allocate, the default Rust allocator will abort the current process, killing all threads. • https://github.com/websockets-rs/rust-websocket/commit/cbf6e9983e839d2ecad86de8cd1b3f20ed43390b https://github.com/websockets-rs/rust-websocket/security/advisories/GHSA-qrjv-rf5q-qpxc https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V2EOOU5OLEHVMKAH6BALQXKDKIZRXCI https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYPNCM4H4OFBIZI6XMJ2DUTS54FT2TWP • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •