CVE-2026-1528

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-1528

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1528.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-1528

Aliases

GHSA-f269-vfmq-vjvj

Downstream

DEBIAN-CVE-2026-1528

MINI-2667-43w7-4jc8

MINI-9fx9-vvwr-97gj

MINI-9wc3-xrm4-5rfc

MINI-fxgq-f6hg-wv5c

MINI-gm9m-q896-grpm

MINI-hgg9-9wr6-7hwv

MINI-rxpj-x747-w6p2

MINI-w7v3-vfrh-fx5j

MINI-xm69-ph56-57vp

ROOT-APP-NPM-CVE-2026-1528

UBUNTU-CVE-2026-1528

Related

CGA-w442-vj6r-7j29

Published

2026-03-12T21:16:25.330Z

Modified

2026-03-18T22:58:59.409706Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

References

Affected packages

Git /

Affected ranges

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1528.json"