{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-1526","assignerOrgId":"ce714d77-add3-4f53-aff5-83d477b104bb","state":"PUBLISHED","assignerShortName":"openjs","dateReserved":"2026-01-28T12:05:07.017Z","datePublished":"2026-03-12T20:08:05.950Z","dateUpdated":"2026-07-02T12:05:22.042Z"},"containers":{"cna":{"providerMetadata":{"orgId":"ce714d77-add3-4f53-aff5-83d477b104bb","shortName":"openjs","dateUpdated":"2026-03-12T20:08:05.950Z"},"title":"undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-409","description":"CWE-409 Improper handling of highly compressed data (data amplification)","type":"CWE"}]}],"affected":[{"vendor":"undici","product":"undici","collectionURL":"https://github.com/nodejs/undici/","packageName":"undici","repo":"https://github.com/nodejs/undici/","versions":[{"status":"affected","version":"< 6.24.0; 7.0.0 < 7.24.0"},{"status":"unaffected","version":"6.24.0: 7.24.0"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \"decompression bomb\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.\n\nThe vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \"decompression bomb\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.</p><p>The vulnerability exists in the&nbsp;<code>PerMessageDeflate.decompress()</code>&nbsp;method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.</p>"}]}],"references":[{"url":"https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q"},{"url":"https://hackerone.com/reports/3481206"},{"url":"https://cna.openjsf.org/security-advisories.html"},{"url":"https://datatracker.ietf.org/doc/html/rfc7692"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseSeverity":"HIGH","baseScore":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}],"credits":[{"lang":"en","value":"Matteo Collina","type":"remediation developer"},{"lang":"en","value":"Ulises Gascón","type":"remediation developer"},{"lang":"en","value":"HO9","type":"finder"}],"source":{"advisory":"GHSA-vrm6-8vpv-qv8q","discovery":"EXTERNAL"},"x_generator":{"engine":"Vulnogram 1.0.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-13T18:04:06.608247Z","id":"CVE-2026-1526","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-13T18:04:20.683Z"}},{"affected":[{"cpes":["cpe:/a:redhat:cryostat:4::el9"],"defaultStatus":"affected","product":"Cryostat 4 on RHEL 9","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.1"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:8::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 8)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.6::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v.9.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:cluster_observability_operator:1.5::el9"],"defaultStatus":"affected","product":"Cluster Observability Operator 1.5.0","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhdh:1.8::el9"],"defaultStatus":"affected","product":"Red Hat Developer Hub 1.8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhdh:1.9::el9"],"defaultStatus":"affected","product":"Red Hat Developer Hub 1.9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai:2.16::el8"],"defaultStatus":"affected","product":"Red Hat OpenShift AI 2.16","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_devspaces:3.28::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Dev Spaces 3.28","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_pipelines:1.20::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Pipelines 1.2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_lightspeed"],"defaultStatus":"affected","product":"OpenShift Lightspeed","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_pipelines:1"],"defaultStatus":"affected","product":"OpenShift Pipelines","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhdh:1"],"defaultStatus":"affected","product":"Red Hat Developer Hub","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_devspaces:3"],"defaultStatus":"affected","product":"Red Hat OpenShift Dev Spaces","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_portal:2"],"defaultStatus":"affected","product":"Self-service automation portal 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:8"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"}],"datePublic":"2026-03-12T20:08:05.950Z","descriptions":[{"lang":"en","value":"A flaw was found in undici. A remote attacker can exploit this vulnerability by sending a specially crafted compressed frame, known as a \"decompression bomb,\" during permessage-deflate decompression. The undici WebSocket client does not properly limit the size of decompressed data, leading to unbounded memory consumption. This can cause the Node.js process to exhaust available memory, resulting in a denial of service (DoS) where the process crashes or becomes unresponsive."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-770","description":"Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-1526"},{"name":"RHBZ#2447142","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447142"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1526.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:17789"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7310"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7080"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7675"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7123"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7670"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7983"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7302"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7350"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:34342"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:9742"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:13826"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:5807"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:21772"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:21931"}],"solutions":[{"lang":"en","value":"RHSA-2026:17789: Cryostat 4 on RHEL 9"},{"lang":"en","value":"RHSA-2026:7310: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"},{"lang":"en","value":"RHSA-2026:7080: Red Hat Enterprise Linux AppStream (v. 10)"},{"lang":"en","value":"RHSA-2026:7675: Red Hat Enterprise Linux AppStream (v. 10)"},{"lang":"en","value":"RHSA-2026:7123: Red Hat Enterprise Linux AppStream (v. 8)"},{"lang":"en","value":"RHSA-2026:7670: Red Hat Enterprise Linux AppStream (v. 8)"},{"lang":"en","value":"RHSA-2026:7983: Red Hat Enterprise Linux AppStream EUS (v.9.6)"},{"lang":"en","value":"RHSA-2026:7302: Red Hat Enterprise Linux AppStream (v. 9)"},{"lang":"en","value":"RHSA-2026:7350: Red Hat Enterprise Linux AppStream (v. 9)"},{"lang":"en","value":"RHSA-2026:34342: Cluster Observability Operator 1.5.0"},{"lang":"en","value":"RHSA-2026:9742: Red Hat Developer Hub 1.8"},{"lang":"en","value":"RHSA-2026:13826: Red Hat Developer Hub 1.9"},{"lang":"en","value":"RHSA-2026:5807: Red Hat OpenShift AI 2.16"},{"lang":"en","value":"RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28"},{"lang":"en","value":"RHSA-2026:21931: Red Hat OpenShift Pipelines 1.2"}],"timeline":[{"lang":"en","time":"2026-03-12T21:01:25.538Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-03-12T20:08:05.950Z","value":"Made public."}],"title":"undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-02T12:05:22.042Z"}}]}}