Cyber Resilience

CVE-2026-1528

High

Published: 12 March 2026

Published
12 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0012 30.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1528 is a high-severity Uncaught Exception (CWE-248) vulnerability in Nodejs Undici. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1528 is a denial-of-service vulnerability in the undici library, a Node.js HTTP and WebSocket client. The issue arises in undici's ByteParser when processing a WebSocket frame that uses the 64-bit length form with an extremely large length value. This causes an internal math overflow, leading the parser to an invalid state and triggering a fatal TypeError that terminates the process.

A remote attacker can exploit this vulnerability by controlling a server to which an undici-based client connects over WebSocket. No authentication, privileges, or user interaction are required, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Successful exploitation results in a crash of the affected client process, enabling denial of service against applications relying on vulnerable undici versions.

Advisories recommend upgrading to undici version v7.24.0 or v6.24.0 or later, where the issue is patched. Additional details are available in the OpenJSF CNA security advisories, the GitHub Security Advisory GHSA-f269-vfmq-vjvj for nodejs/undici, and the related HackerOne report 3537648. The vulnerability is associated with CWE-248 (Uncaught Exception) and CWE-1284 (Immutable Object with Mutable Interface).

EU & UK References

Vulnerability details

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched…

more

in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote exploitation of undici WebSocket parser to crash the client process via integer overflow and uncaught exception, directly matching application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2229Same product: Nodejs Undici
CVE-2026-1526Same product: Nodejs Undici
CVE-2026-22036Same product: Nodejs Undici
CVE-2026-1525Same product: Nodejs Undici
CVE-2025-59466Same vendor: Nodejs
CVE-2026-21637Same vendor: Nodejs
CVE-2025-59464Same vendor: Nodejs
CVE-2021-47827Shared CWE-1284
CVE-2026-21636Same vendor: Nodejs
CVE-2025-55130Same vendor: Nodejs

Affected Assets

nodejs
undici
≤ 6.24.0 · 7.0.0 — 7.24.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation requires upgrading to patched undici versions v7.24.0 or v6.24.0, directly eliminating the WebSocket frame length overflow vulnerability.

prevent

Information input validation enforces checks on WebSocket frame lengths to reject oversized 64-bit values before ByteParser processing, preventing math overflow and crashes.

prevent

Error handling ensures parsing exceptions from invalid WebSocket frames do not result in fatal TypeErrors that terminate the process.

References