CVE-2026-1528

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions undici versions prior to 7.24.0 undici versions prior to 6.24.0

Description A server can respond with a WebSocket frame utilizing the 64-bit length format and an excessively large length value. The ByteParser component within undici experiences an integer overflow during internal mathematical operations, leading to an invalid state and ultimately causing a fatal TypeError that terminates the process.

Recommendations Upgrade to undici version 7.24.0 or later. Upgrade to undici version 6.24.0 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-248CWE-1284

Related Identifiers

ALSA-2026:7080

ALSA-2026:7123

ALSA-2026:7350

ALSA-2026:7670

ALSA-2026:7675

CLEANSTART-2026-CE10526

CLEANSTART-2026-DV49099

CLEANSTART-2026-GS57401

CLEANSTART-2026-NB51079

CLEANSTART-2026-OW14933

CLEANSTART-2026-SW34937

CVE-2026-1528

GHSA-F269-VFMQ-VJVJ

RHSA-2026:7080

RHSA-2026:7123

RHSA-2026:7302

RHSA-2026:7310

RHSA-2026:7350

RHSA-2026:7670

RHSA-2026:7675

RHSA-2026:7983

Affected Products

Rocky Linux

Undici

CVE-2026-1528

Weakness Enumeration

Related Identifiers

Affected Products

References · 208