PatchSiren cyber security CVE debrief
CVE-2026-1526 Nodejs CVE debrief
CVE-2026-1526 is a high-severity denial-of-service vulnerability in the undici WebSocket client. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold. A malicious WebSocket server can send a small compressed frame that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability has a CVSS score of 7.5 and is considered high severity. The CVE was published on March 12, 2026, and modified on June 30, 2026
- Vendor
- Nodejs
- Product
- Undici
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-12
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-12
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using the undici WebSocket client in Node.js applications should be aware of this vulnerability and take steps to mitigate it. This includes updating to a patched version of undici and implementing additional security measures to prevent denial-of-service attacks. Organizations using affected versions of undici should prioritize patching and consider implementing compensating controls to prevent exploitation
Technical summary
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. This allows a malicious WebSocket server to send a small compressed frame that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold
Defensive priority
High priority should be given to patching affected systems and implementing additional security measures to prevent denial-of-service attacks. This includes updating to a patched version of undici and monitoring for suspicious WebSocket activity
Recommended defensive actions
- Update to a patched version of undici
- Implement additional security measures to prevent denial-of-service attacks
- Monitor for suspicious WebSocket activity
- Consider implementing compensating controls to prevent exploitation
- Review and update incident response plans to address potential denial-of-service attacks
Evidence notes
The CVE-2026-1526 vulnerability was published on March 12, 2026, and modified on June 30, 2026. The vulnerability has a CVSS score of 7.5 and is considered high severity. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold. A malicious WebSocket server can send a small compressed frame that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive
Official resources
-
CVE-2026-1526 CVE record
CVE.org
-
CVE-2026-1526 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Vendor Advisory
-
Source reference
ce714d77-add3-4f53-aff5-83d477b104bb - Technical Description
-
Mitigation or vendor reference
ce714d77-add3-4f53-aff5-83d477b104bb - Vendor Advisory
-
Source reference
ce714d77-add3-4f53-aff5-83d477b104bb - Permissions Required
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.