undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client
Summary
| CVE | CVE-2026-1528 |
|---|---|
| State | PUBLISHED |
| Assigner | openjs |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-12 21:16:25 UTC |
| Updated | 2026-07-02 12:16:55 UTC |
| Description | ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-248 | CWE-1284 | CWE-248 CWE-248 Uncaught exception | CWE-1284 CWE-1284 Improper validation of specified quantity in input | CWE-248 Uncaught Exception
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | ce714d77-add3-4f53-aff5-83d477b104bb | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Undici | Undici | affected >= 6.0.0 < 6.24.0; 7.0.0 < 7.24.0 | Not specified |
| CNA | Undici | Undici | unaffected 6.24.0: 7.24.0 | Not specified |
| ADP | Red Hat | Cryostat 4 On RHEL 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream EUS V. 10.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream EUS V.9.6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 9 | Not specified | Not specified |
| ADP | Red Hat | Cluster Observability Operator 1.5.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Developer Hub 1.8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Developer Hub 1.9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 2.16 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces 3.28 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Pipelines 1.2 | Not specified | Not specified |
| ADP | Red Hat | OpenShift Lightspeed | Not specified | Not specified |
| ADP | Red Hat | OpenShift Pipelines | Not specified | Not specified |
| ADP | Red Hat | Red Hat Developer Hub | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Self-service Automation Portal 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:5807 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| cna.openjsf.org/security-advisories.html | ce714d77-add3-4f53-aff5-83d477b104bb | cna.openjsf.org | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:7310 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7675 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34342 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-1528 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7123 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:9742 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:21931 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7983 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| hackerone.com/reports/3537648 | ce714d77-add3-4f53-aff5-83d477b104bb | hackerone.com | Permissions Required |
| access.redhat.com/errata/RHSA-2026:7350 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7302 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13826 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7670 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1528.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:21772 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:17789 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7080 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Matteo Collina (en)
CNA: Ulises Gascón (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-12T21:01:36.954Z | Reported to Red Hat. |
| ADP | 2026-03-12T20:21:57.775Z | Made public. |
Solutions
ADP: RHSA-2026:17789: Cryostat 4 on RHEL 9
ADP: RHSA-2026:7310: Red Hat Enterprise Linux AppStream EUS (v. 10.0)
ADP: RHSA-2026:7080: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:7675: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:7123: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:7670: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:7983: Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:7302: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:7350: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:34342: Cluster Observability Operator 1.5.0
ADP: RHSA-2026:9742: Red Hat Developer Hub 1.8
ADP: RHSA-2026:13826: Red Hat Developer Hub 1.9
ADP: RHSA-2026:5807: Red Hat OpenShift AI 2.16
ADP: RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28
ADP: RHSA-2026:21931: Red Hat OpenShift Pipelines 1.2
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.