CVE-2026-42544

Name of the Vulnerable Software and Affected Versions Granian versions 1.2.0 through 2.7.3

Description An unauthenticated client can cause a worker process to abort by sending a WebSocket upgrade request containing non-ASCII bytes in the Sec-WebSocket-Protocol header. This occurs during the WebSocket scope construction path before the ASGI application is invoked. The issue is triggered when the HeaderValue::to str() function returns an error for bytes outside the visible ASCII range, and a subsequent .unwrap() call causes a panic. Because release builds are configured to abort on panic, this results in a denial of service where a single crafted request terminates one worker, and repeated requests can take the entire service offline.

Recommendations Update to version 2.7.4.