PatchSiren cyber security CVE debrief
CVE-2026-42544 emmett-framework CVE debrief
CVE-2026-42544 is a network-reachable denial-of-service issue in Granian. An unauthenticated client can trigger a worker process abort by sending a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash occurs before the ASGI application is invoked. Granian 2.7.4 is listed as the fixed release.
- Vendor
- emmett-framework
- Product
- granian
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-18
Who should care
Teams running Granian in production, especially services exposed to untrusted network traffic or public WebSocket endpoints. SRE, platform, and application owners should care because the issue can terminate worker processes without authentication.
Technical summary
The issue affects Granian versions 1.2.0 through 2.7.4. During WebSocket scope construction, a malformed Sec-WebSocket-Protocol header containing non-ASCII bytes can abort a worker process. Because the failure happens before the ASGI app is invoked, application-level handling does not intercept it. The supplied record maps the issue to high-severity availability impact and lists CWE-20, CWE-248, and CWE-400.
Defensive priority
High. The vulnerability is unauthenticated, network reachable, and can cause worker crashes that disrupt service availability. Prioritize upgrading to the fixed Granian 2.7.4 release and validating crash resilience in exposed deployments.
Recommended defensive actions
- Upgrade Granian to version 2.7.4 or later.
- Verify that worker crash/restart behavior is monitored so repeated aborts are detected quickly.
- If immediate upgrade is not possible, reduce exposure of the affected service to untrusted clients until remediation is complete.
- Review any edge controls or request filtering in front of Granian for malformed WebSocket upgrade traffic.
- Confirm that deployment and incident alerting distinguish repeated worker exits from normal restarts.
Evidence notes
The CVE description states that Granian 1.2.0 to 2.7.4 aborts a worker when an unauthenticated WebSocket upgrade request includes non-ASCII bytes in Sec-WebSocket-Protocol, and that the crash happens before the ASGI application is invoked. The supplied NVD metadata lists CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, marks the vuln status as Deferred, and associates CWE-20, CWE-248, and CWE-400. The linked GitHub security advisory is the vendor-facing reference provided in the source corpus.
Official resources
-
CVE-2026-42544 CVE record
CVE.org
-
CVE-2026-42544 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Publicly disclosed in the CVE record on 2026-05-12T22:16:34.467Z; the supplied NVD record was last modified on 2026-05-18T16:16:30.937Z. The issue is fixed in Granian 2.7.4.