CVE-2026-44545
Description
Daphne versions prior to 4.2.2 allow unauthenticated remote attackers to cause a denial of service by sending arbitrarily large WebSocket messages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Daphne versions prior to 4.2.2 allow unauthenticated remote attackers to cause a denial of service by sending arbitrarily large WebSocket messages.
Vulnerability
Daphne versions before 4.2.2 fail to pass maxFramePayloadSize and maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Since Autobahn defaults these values to 0 (unlimited), the application is vulnerable to excessively large WebSocket messages or frames.
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending arbitrarily large WebSocket messages or frames to the vulnerable Daphne server. No specific authentication or user interaction is required.
Impact
Successful exploitation leads to excessive memory consumption on the server, resulting in a denial of service (DoS) for legitimate users. The scope of the impact is limited to the availability of the service.
Mitigation
Daphne version 4.2.2 and later contain a fix for this vulnerability. Users are advised to upgrade to version 4.2.2 or later. The release date for version 4.2.2 is not specified in the provided changelog [1].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <4.2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.