Cyber Resilience

CVE-2026-1526

High

Published: 12 March 2026

Published
12 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 6.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1526 is a high-severity Data Amplification (CWE-409) vulnerability in Nodejs Undici. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1526 is a denial-of-service vulnerability in the undici WebSocket client, stemming from unbounded memory consumption during permessage-deflate decompression. The issue resides in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without enforcing limits on the total decompressed size. This affects Node.js processes using the undici library when handling WebSocket connections that negotiate the permessage-deflate extension.

A remote attacker who controls a malicious WebSocket server can exploit this vulnerability against any undici client that connects and negotiates the extension. By sending a small compressed frame—a "decompression bomb"—that expands to an extremely large size upon decompression, the attacker triggers memory exhaustion in the victim's Node.js process, causing it to crash or become unresponsive. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects its network accessibility, low attack complexity, lack of required privileges or user interaction, and high availability impact, mapped to CWE-409 (Improper Handling of Highly Compressed Data).

Mitigation guidance and patches are detailed in related advisories, including the GitHub security advisory for undici (GHSA-vrm6-8vpv-qv8q), the OpenJS Foundation CNA page, and the HackerOne disclosure report 3481206. Additional technical context on permessage-deflate is available in RFC 7692.

EU & UK References

Vulnerability details

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size.…

more

A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Decompression bomb in undici WS client directly enables remote memory exhaustion leading to application crash via crafted compressed frames (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2229Same product: Nodejs Undici
CVE-2026-1528Same product: Nodejs Undici
CVE-2026-22036Same product: Nodejs Undici
CVE-2026-1525Same product: Nodejs Undici
CVE-2025-59466Same vendor: Nodejs
CVE-2026-22776Shared CWE-409
CVE-2026-43970Shared CWE-409
CVE-2025-59464Same vendor: Nodejs
CVE-2024-7765Shared CWE-409
CVE-2026-21637Same vendor: Nodejs

Affected Assets

nodejs
undici
≤ 6.24.0 · 7.0.0 — 7.24.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 enforces denial-of-service protection mechanisms to limit memory consumption from decompression bombs in WebSocket frames.

prevent

SI-2 requires timely identification, reporting, and patching of the unbounded memory accumulation flaw in undici's PerMessageDeflate.decompress() method.

prevent

SI-10 mandates validation of decompressed data sizes to ensure they stay within safe thresholds, preventing expansion of malicious compressed frames.

References