Cyber Posture

CVE-2026-1528

High

Published: 12 March 2026

Published
12 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0014 33.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1528 is a high-severity Uncaught Exception (CWE-248) vulnerability in Nodejs Undici. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-24 Fail in Known State
addresses: CWE-248

Prevents abrupt termination from uncaught exceptions by requiring a defined, preserved-state failure mode.

SI-17 Fail-safe Procedures
addresses: CWE-248

Requires pre-defined safe responses for uncaught exceptions so they do not result in undefined or insecure program termination.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

CVE enables remote exploitation of undici WebSocket parser to crash the client process via integer overflow and uncaught exception, directly matching application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched…

more

in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Deeper analysisAI

CVE-2026-1528 is a denial-of-service vulnerability in the undici library, a Node.js HTTP and WebSocket client. The issue arises in undici's ByteParser when processing a WebSocket frame that uses the 64-bit length form with an extremely large length value. This causes an internal math overflow, leading the parser to an invalid state and triggering a fatal TypeError that terminates the process.

A remote attacker can exploit this vulnerability by controlling a server to which an undici-based client connects over WebSocket. No authentication, privileges, or user interaction are required, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Successful exploitation results in a crash of the affected client process, enabling denial of service against applications relying on vulnerable undici versions.

Advisories recommend upgrading to undici version v7.24.0 or v6.24.0 or later, where the issue is patched. Additional details are available in the OpenJSF CNA security advisories, the GitHub Security Advisory GHSA-f269-vfmq-vjvj for nodejs/undici, and the related HackerOne report 3537648. The vulnerability is associated with CWE-248 (Uncaught Exception) and CWE-1284 (Immutable Object with Mutable Interface).

Details

CWE(s)
CWE-248CWE-1284

Affected Products

nodejs
undici
≤ 6.24.0 · 7.0.0 — 7.24.0

CVEs Like This One

CVE-2026-2229Same product: Nodejs Undici
CVE-2026-22036Same product: Nodejs Undici
CVE-2026-1526Same product: Nodejs Undici
CVE-2026-1525Same product: Nodejs Undici
CVE-2025-59466Same vendor: Nodejs
CVE-2025-59464Same vendor: Nodejs
CVE-2026-21637Same vendor: Nodejs
CVE-2026-34752Shared CWE-248
CVE-2026-24175Shared CWE-248
CVE-2025-20176Shared CWE-248

References