MGASA-2026-0071

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2026-0071.html

Import Source

https://advisories.mageia.org/MGASA-2026-0071.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2026-0071

Related

CVE-2026-21637
CVE-2026-21710
CVE-2026-21713
CVE-2026-21714
CVE-2026-21715
CVE-2026-21716
CVE-2026-21717

Published

2026-03-28T07:26:21Z

Modified

2026-03-28T07:30:56.772426Z

Summary

Updated nodejs packages fix security vulnerabilities

Details

Incomplete fix for CVE-2026-21637: loadSNI() in tlswrap.js lacks try/catch leading to Remote DoS. (CVE-2026-21637) Denial of Service via proto header name in req.headersDistinct (Uncaught TypeError crashes Node.js process). (CVE-2026-21710) Timing side-channel in HMAC verification via memcmp() in cryptohmac.cc leads to potential MAC forgery. (CVE-2026-21713) Memory leak in Node.js HTTP/2 server via WINDOWUPDATE on stream 0 leads to resource exhaustion. (CVE-2026-21714) Permission Model Bypass in realpathSync.native Allows File Existence Disclosure. (CVE-2026-21715) CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown. (CVE-2026-21716) HashDoS in V8. (CVE-2026-21717)

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:9 / nodejs

Package

Name: nodejs
Purl: pkg:rpm/mageia/nodejs?arch=source&distro=mageia-9

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

22.22.2-1.mga9

Ecosystem specific

{
    "section": "core"
}

Database specific

source

"https://advisories.mageia.org/MGASA-2026-0071.json"