Stay Connected:

CVE-2026-1528

CVE Details

Release Date:2026-03-12
Impact:Important What is this?

Description


ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

See more information about CVE-2026-1528 from MITRE CVE dictionary and NIST NVD


NOTE: The following CVSS metrics and score provided are preliminary and subject to review.


CVSS v3 metrics

Base Score: 7.5
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High

Errata information


PlatformErrataRelease Date
Oracle Linux version 10 (nodejs22) ELSA-2026-70802026-04-08
Oracle Linux version 8 (nodejs) ELSA-2026-71232026-04-09
Oracle Linux version 8 (nodejs-nodemon) ELSA-2026-71232026-04-09
Oracle Linux version 8 (nodejs-packaging) ELSA-2026-71232026-04-09
Oracle Linux version 9 (nodejs) ELSA-2026-73022026-04-10
Oracle Linux version 9 (nodejs) ELSA-2026-73502026-04-10
Oracle Linux version 9 (nodejs-nodemon) ELSA-2026-73022026-04-10
Oracle Linux version 9 (nodejs-nodemon) ELSA-2026-73502026-04-10
Oracle Linux version 9 (nodejs-packaging) ELSA-2026-73022026-04-10
Oracle Linux version 9 (nodejs-packaging) ELSA-2026-73502026-04-10


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete
Subscribe | Careers | Contact Us | Legal Notices | Terms of Use | Your Privacy Rights