CVE-2026-1528
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows in
CVSS
7.5
High
EPSS
0.5%
p39
KEV
—
Exploit Today
12
0-100
Published: Mar 12, 2026 · Last modified: Jul 15, 2026 · CWE-248 · CWE-1284
0.5%EPSS · 30 days0.5%
2026-06-302026-07-17
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
- cna.openjsf.orghttps://cna.openjsf.org/security-advisories.html
- github.comhttps://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj
- hackerone.comhttps://hackerone.com/reports/3537648
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:13826
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:17789
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:21772
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:21931
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:34342
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:5807
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7080
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7123
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7302
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7310
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7350
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7670
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7675
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7983
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:9742
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-1528
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2447145
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-594657.5 HIG88.8%
——27A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:
```
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
```3dCVE-2026-238647.5 HIG82.9%
——25Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.3dCVE-2026-503287.5 HIG64.9%
——19Uncaught exception in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network.3dCVE-2026-22297.5 HIG54.9%
——16ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
* The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
* The createInflateRaw() call is not wrapped in a try-catch block
* The resulting exception propagates up through the call stack and crashes the Node.js process3dCVE-2026-30858.8 HIG53.4%
——16GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the processing of X-QDM RTP payloads. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28851.3dCVE-2026-591627.5 HIG47.2%
——14Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, Excelize parses shared-string cell values with strconv.Atoi and checks only the upper bound before indexing the shared string slice, allowing an XLSX file containing a shared-string cell with -1 to trigger sharedStrings[-1] and panic when read through GetCellValue or GetRows. This issue is fixed in version 2.11.0.2d