Bug 2447145 (CVE-2026-1528)

Summary: CVE-2026-1528 undici: undici: Denial of Service via crafted WebSocket frame with large length
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, alizardo, anpicker, asoldano, bbaranow, bmaxwell, bparees, brian.stansberry, cmah, darran.lofthouse, dosoudil, dschmidt, eaguilar, ebaron, erezende, fjuma, hasun, istudens, ivassile, iweiss, jchui, jfula, jhe, jkoehler, jlanda, jolong, jowilson, kshier, ktsao, lphiri, mosmerov, msvehla, nboldt, nwallace, nyancey, ometelka, pberan, pesilva, pjindal, pmackay, psrna, ptisnovs, rstancel, sdawley, simaishi, smaestri, smcdonal, stcannon, syedriko, teagle, tom.jenkinson, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in undici. A remote attacker could exploit this vulnerability by sending a specially crafted WebSocket frame with an extremely large 64-bit length. This causes undici's ByteParser to overflow its internal calculations, leading to an invalid state and a fatal TypeError. The primary consequence is a Denial of Service (DoS), which terminates the process.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2447157, 2447158, 2447160, 2447162    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-12 21:02:00 UTC 
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Comment 3 errata-xmlrpc 2026-04-08 13:54:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:7080 https://access.redhat.com/errata/RHSA-2026:7080
Comment 4 errata-xmlrpc 2026-04-08 18:04:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:7123 https://access.redhat.com/errata/RHSA-2026:7123
Comment 5 errata-xmlrpc 2026-04-09 12:47:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:7302 https://access.redhat.com/errata/RHSA-2026:7302
Comment 6 errata-xmlrpc 2026-04-09 13:19:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:7310 https://access.redhat.com/errata/RHSA-2026:7310
Comment 7 errata-xmlrpc 2026-04-09 20:20:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:7350 https://access.redhat.com/errata/RHSA-2026:7350
Comment 8 errata-xmlrpc 2026-04-13 02:23:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:7675 https://access.redhat.com/errata/RHSA-2026:7675
Comment 9 errata-xmlrpc 2026-04-13 02:47:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:7670 https://access.redhat.com/errata/RHSA-2026:7670
Comment 11 errata-xmlrpc 2026-04-14 06:52:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:7983 https://access.redhat.com/errata/RHSA-2026:7983
Comment 12 errata-xmlrpc 2026-05-26 03:53:52 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2026:17789 https://access.redhat.com/errata/RHSA-2026:17789