DEBIAN-CVE-2026-21716

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-21716
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21716.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-21716
Upstream
  • CVE-2026-21716
Downstream
Published
2026-03-30T20:16:19.873Z
Modified
2026-04-02T11:03:01.858266Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

An incomplete fix for CVE-2024-36137 leaves FileHandle.chmod() and FileHandle.chown() in the promises API without the required permission checks, while their callback-based equivalents (fs.fchmod(), fs.fchown()) were correctly patched.

As a result, code running under --permission with restricted --allow-fs-write can still use promise-based FileHandle methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.

This vulnerability affects 20.x, 22.x, 24.x, and 25.x processes using the Permission Model where --allow-fs-write is intentionally restricted.

References

Affected packages

Debian:11 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

12.*
12.21.0~dfsg-5
12.22.4~dfsg-1
12.22.5~dfsg-1
12.22.5~dfsg-2~11u1
12.22.5~dfsg-2
12.22.5~dfsg-3
12.22.5~dfsg-4
12.22.5~dfsg-5
12.22.5~dfsg-6
12.22.5~dfsg-7
12.22.7~dfsg-1
12.22.7~dfsg-2
12.22.9~dfsg-1
12.22.10~dfsg-1
12.22.10~dfsg-2
12.22.12~dfsg-1~deb11u1
12.22.12~dfsg-1~deb11u2
12.22.12~dfsg-1~deb11u3
12.22.12~dfsg-1~deb11u4
12.22.12~dfsg-1~deb11u5
12.22.12~dfsg-1~deb11u6
12.22.12~dfsg-1~deb11u7
14.*
14.4.0~dfsg-1
14.4.0~dfsg-2
14.7.0~dfsg-1
14.8.0~dfsg-1
14.9.0~dfsg-1
14.11.0~dfsg-1
14.11.0~dfsg-2
14.12.0~dfsg-1
14.13.0~dfsg-1
14.16.0~dfsg-1
14.16.1~dfsg-1
14.17.0~dfsg-1
14.17.0~dfsg-2
16.*
16.11.1~dfsg-1
16.13.0~dfsg-1
16.13.0~dfsg-2
16.13.0~dfsg-3
16.13.0~dfsg-4
16.13.0~dfsg-5
16.13.2~dfsg-1
16.13.2~dfsg-2
16.13.2+really14.19.0~dfsg-1
16.13.2+really14.19.0~dfsg-2
16.13.2+really14.19.1~dfsg-1
16.13.2+really14.19.1~dfsg-2
16.13.2+really14.19.1~dfsg-3
16.13.2+really14.19.1~dfsg-4
16.13.2+really14.19.1~dfsg-5
16.13.2+really14.19.1~dfsg-6
16.14.2+dfsg-1
16.14.2+dfsg-2
16.14.2+dfsg-3
16.14.2+dfsg-4
16.14.2+dfsg-5
16.14.2+dfsg1-1
16.15.0+dfsg-1
16.15.1+dfsg-1
18.*
18.3.0+dfsg-1
18.4.0+dfsg-1
18.4.0+dfsg-2
18.6.0+dfsg-1
18.6.0+dfsg-2
18.6.0+dfsg-3
18.6.0+dfsg-4
18.6.0+dfsg-5
18.7.0+dfsg-1
18.7.0+dfsg-4
18.7.0+dfsg-5
18.8.0+dfsg-1
18.10.0+dfsg-1
18.10.0+dfsg-2
18.10.0+dfsg-3
18.10.0+dfsg-4
18.10.0+dfsg-5
18.10.0+dfsg-6
18.11.0+dfsg-1
18.11.0+dfsg-2
18.11.0+dfsg-3
18.11.0+dfsg-4
18.12.0+dfsg-1
18.12.1+dfsg-1
18.12.1+dfsg-2
18.12.1+dfsg-2+0.riscv64.1
18.13.0+dfsg-1
18.13.0+dfsg1-1
18.13.0+dfsg1-1.1
18.19.0+dfsg-1
18.19.0+dfsg-2
18.19.0+dfsg-3
18.19.0+dfsg-4
18.19.0+dfsg-5
18.19.0+dfsg-6~deb12u1
18.19.0+dfsg-6~deb12u2
18.19.0+dfsg-6
18.19.1+dfsg-1
18.19.1+dfsg-2
18.19.1+dfsg-3
18.19.1+dfsg-3.1
18.19.1+dfsg-4
18.19.1+dfsg-6
18.20.1+dfsg-1
18.20.1+dfsg-2
18.20.1+dfsg-3
18.20.1+dfsg-4
18.20.4+dfsg-1~deb12u1
20.*
20.10.0+dfsg-1
20.12.2+dfsg-1
20.13.0+dfsg-1
20.13.1+dfsg-1
20.13.1+dfsg-2
20.14.0+dfsg-1
20.14.0+dfsg-2
20.14.0+dfsg-3
20.15.0+dfsg-1
20.15.1+dfsg-1
20.16.0+dfsg-1
20.17.0+dfsg-1
20.17.0+dfsg-2
20.18.0+dfsg-1
20.18.0+dfsg-2
20.18.1+dfsg-1
20.18.1+dfsg-2
20.18.2+dfsg-1
20.18.2+dfsg-2
20.18.2+dfsg-3
20.18.2+dfsg-4
20.18.3+dfsg-1
20.19.0+dfsg-1
20.19.0+dfsg-2
20.19.0+dfsg1-1
20.19.2+dfsg-1
20.19.4+dfsg-1
20.19.5+dfsg+~cs20.19.12-1
20.19.5+dfsg+~cs20.19.12-2
20.19.5+dfsg+~cs20.19.12-3
20.19.5+dfsg+~cs20.19.12-4
20.19.5+dfsg+~cs20.19.24-1
22.*
22.12.0+dfsg-1
22.12.0+dfsg-2
22.12.0+dfsg-3
22.14.0+dfsg-1
22.18.0+dfsg-1
22.18.0+dfsg+~cs22.17.2-1
22.18.0+dfsg+~cs22.17.2-2
22.19.0+dfsg+~cs22.18.0-1
22.21.1+dfsg+~cs22.19.0-1
22.21.1+dfsg+~cs22.19.0-2
22.21.1+dfsg+~cs22.19.0-3
22.21.1+dfsg+~cs22.19.0-4
22.21.1+dfsg+~cs22.19.0-5
22.21.1+dfsg+~cs22.19.0-6
22.22.0+dfsg+~cs22.19.6-1
22.22.0+dfsg+~cs22.19.13-1
22.22.0+dfsg+~cs22.19.13-2
22.22.1+dfsg+~cs22.19.15-1
22.22.2+dfsg+~cs22.19.15-1
24.*
24.11.1+dfsg+~cs24.10.1-1
24.11.1+dfsg+~cs24.10.1-2
24.12.0+dfsg+~cs24.10.4-1
24.13.0+dfsg+~cs24.10.7-1
24.13.0+dfsg+~cs24.10.7-2
24.14.0+dfsg+~cs24.12.0-1
24.14.0+dfsg+~cs24.12.0-2
24.14.1+dfsg+~cs24.12.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21716.json"

Debian:12 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

18.*
18.13.0+dfsg1-1
18.13.0+dfsg1-1.1
18.19.0+dfsg-1
18.19.0+dfsg-2
18.19.0+dfsg-3
18.19.0+dfsg-4
18.19.0+dfsg-5
18.19.0+dfsg-6~deb12u1
18.19.0+dfsg-6~deb12u2
18.19.0+dfsg-6
18.19.1+dfsg-1
18.19.1+dfsg-2
18.19.1+dfsg-3
18.19.1+dfsg-3.1
18.19.1+dfsg-4
18.19.1+dfsg-6
18.20.1+dfsg-1
18.20.1+dfsg-2
18.20.1+dfsg-3
18.20.1+dfsg-4
18.20.4+dfsg-1~deb12u1
20.*
20.10.0+dfsg-1
20.12.2+dfsg-1
20.13.0+dfsg-1
20.13.1+dfsg-1
20.13.1+dfsg-2
20.14.0+dfsg-1
20.14.0+dfsg-2
20.14.0+dfsg-3
20.15.0+dfsg-1
20.15.1+dfsg-1
20.16.0+dfsg-1
20.17.0+dfsg-1
20.17.0+dfsg-2
20.18.0+dfsg-1
20.18.0+dfsg-2
20.18.1+dfsg-1
20.18.1+dfsg-2
20.18.2+dfsg-1
20.18.2+dfsg-2
20.18.2+dfsg-3
20.18.2+dfsg-4
20.18.3+dfsg-1
20.19.0+dfsg-1
20.19.0+dfsg-2
20.19.0+dfsg1-1
20.19.2+dfsg-1
20.19.4+dfsg-1
20.19.5+dfsg+~cs20.19.12-1
20.19.5+dfsg+~cs20.19.12-2
20.19.5+dfsg+~cs20.19.12-3
20.19.5+dfsg+~cs20.19.12-4
20.19.5+dfsg+~cs20.19.24-1
22.*
22.12.0+dfsg-1
22.12.0+dfsg-2
22.12.0+dfsg-3
22.14.0+dfsg-1
22.18.0+dfsg-1
22.18.0+dfsg+~cs22.17.2-1
22.18.0+dfsg+~cs22.17.2-2
22.19.0+dfsg+~cs22.18.0-1
22.21.1+dfsg+~cs22.19.0-1
22.21.1+dfsg+~cs22.19.0-2
22.21.1+dfsg+~cs22.19.0-3
22.21.1+dfsg+~cs22.19.0-4
22.21.1+dfsg+~cs22.19.0-5
22.21.1+dfsg+~cs22.19.0-6
22.22.0+dfsg+~cs22.19.6-1
22.22.0+dfsg+~cs22.19.13-1
22.22.0+dfsg+~cs22.19.13-2
22.22.1+dfsg+~cs22.19.15-1
22.22.2+dfsg+~cs22.19.15-1
24.*
24.11.1+dfsg+~cs24.10.1-1
24.11.1+dfsg+~cs24.10.1-2
24.12.0+dfsg+~cs24.10.4-1
24.13.0+dfsg+~cs24.10.7-1
24.13.0+dfsg+~cs24.10.7-2
24.14.0+dfsg+~cs24.12.0-1
24.14.0+dfsg+~cs24.12.0-2
24.14.1+dfsg+~cs24.12.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21716.json"

Debian:13 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.19.2+dfsg-1+deb13u2

Affected versions

20.*
20.19.2+dfsg-1
20.19.2+dfsg-1+deb13u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21716.json"

Debian:14 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
22.22.2+dfsg+~cs22.19.15-1

Affected versions

20.*
20.19.2+dfsg-1
20.19.4+dfsg-1
20.19.5+dfsg+~cs20.19.12-1
20.19.5+dfsg+~cs20.19.12-2
20.19.5+dfsg+~cs20.19.12-3
20.19.5+dfsg+~cs20.19.12-4
20.19.5+dfsg+~cs20.19.24-1
22.*
22.12.0+dfsg-1
22.12.0+dfsg-2
22.12.0+dfsg-3
22.14.0+dfsg-1
22.18.0+dfsg-1
22.18.0+dfsg+~cs22.17.2-1
22.18.0+dfsg+~cs22.17.2-2
22.19.0+dfsg+~cs22.18.0-1
22.21.1+dfsg+~cs22.19.0-1
22.21.1+dfsg+~cs22.19.0-2
22.21.1+dfsg+~cs22.19.0-3
22.21.1+dfsg+~cs22.19.0-4
22.21.1+dfsg+~cs22.19.0-5
22.21.1+dfsg+~cs22.19.0-6
22.22.0+dfsg+~cs22.19.6-1
22.22.0+dfsg+~cs22.19.13-1
22.22.0+dfsg+~cs22.19.13-2
22.22.1+dfsg+~cs22.19.15-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21716.json"