CVE-2026-1528

ADVISORY - github

Summary

Impact

A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

There are no workarounds.

EPSS Score⁠: 0.0014 (0.336)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-1284⁠

Improper Validation of Specified Quantity in Input

CWE-248⁠

Uncaught Exception

ADVISORY - github

CWE-1284⁠

Improper Validation of Specified Quantity in Input

CWE-248⁠

Uncaught Exception

ADVISORY - redhat

CWE-248⁠

Uncaught Exception

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.