CVE-2022-35922 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the Rust-WebSocket library, specifically versions prior to 0.26.5. Rust-WebSocket is a Rust implementation of the WebSocket protocol (RFC6455), used to establish full-duplex communication channels over a single TCP connection. The vulnerability arises in the synchronous (sync) implementation of the library during the parsing of WebSocket data frames. When processing incoming frames, the library allocates a buffer based on the declared size of the frame, which is derived from untrusted input. If an attacker crafts a frame with an excessively large size, the library attempts to allocate a correspondingly large buffer using Rust's Vec::with_capacity method. Should this allocation fail due to insufficient memory, the default Rust allocator triggers a process abort, terminating the entire process and all its threads. This results in a denial-of-service (DoS) condition. The asynchronous (async) implementation, which does not use Vec::with_capacity, does not abort on allocation failure but still lacks memory limits, allowing DoS only if the attacker can deliver the oversized frame bytes. The issue was addressed in version 0.26.5 by imposing default limits on the maximum allowed data frame size, preventing uncontrolled memory allocation. Users running vulnerable versions are advised to upgrade to 0.26.5 or later. If upgrading is not feasible, mitigating controls include filtering WebSocket traffic externally or restricting connections to trusted sources to prevent exploitation. No known exploits have been reported in the wild to date.

The primary impact of this vulnerability is a denial-of-service condition caused by uncontrolled memory allocation leading to process termination. For European organizations utilizing the Rust-WebSocket library in their synchronous WebSocket servers or clients, this could result in service outages, disrupting real-time communication channels critical for web applications, IoT devices, or internal messaging systems. The abrupt process abort can cause downtime, loss of availability, and potential cascading failures if the WebSocket service is integral to broader application workflows. While confidentiality and integrity are not directly compromised, the availability impact can affect business continuity, especially for sectors relying on real-time data exchange such as finance, telecommunications, and critical infrastructure. The async implementation is less susceptible to immediate crashes but remains vulnerable to resource exhaustion if attackers can deliver large frames, potentially degrading performance or causing slowdowns. Given the reliance on WebSocket communications in modern web applications, this vulnerability could be exploited by attackers to disrupt services, particularly if exposed to untrusted networks or the internet without adequate filtering.

1. Immediate upgrade to Rust-WebSocket version 0.26.5 or later, which includes built-in limits on data frame sizes to prevent uncontrolled memory allocation. 2. For organizations unable to upgrade promptly, implement external WebSocket traffic filtering at network or application gateways to block or limit oversized frames and restrict connections to trusted IP addresses or networks. 3. Employ Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) configured to detect and block anomalous WebSocket traffic patterns indicative of oversized frames or resource exhaustion attempts. 4. Monitor WebSocket server logs and system resource usage to detect abnormal memory consumption or frequent process aborts, enabling rapid incident response. 5. Where possible, prefer the asynchronous implementation of Rust-WebSocket with additional custom limits on frame sizes and memory usage to reduce risk. 6. Conduct regular security assessments and code reviews of WebSocket implementations to ensure adherence to best practices for resource management and input validation. 7. Educate development and operations teams about the risks of uncontrolled resource consumption and the importance of applying patches promptly.