OESA-2026-2820

Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2820
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-2820.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-2820
Upstream
  • CVE-2026-21714
Published
2026-07-06T06:26:40Z
Modified
2026-07-06T06:45:17.018534727Z
Summary
nodejs security update
Details

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

Security Fix(es):

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) (CVE-2025-59465)

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.(CVE-2026-21637)

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.

This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.(CVE-2026-21714)

Database specific
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP4 / nodejs

Package

Name
nodejs
Purl
pkg:rpm/openEuler/nodejs&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
12.22.11-11.oe2003sp4

Ecosystem specific

{
    "x86_64": [
        "nodejs-12.22.11-11.oe2003sp4.x86_64.rpm",
        "nodejs-debuginfo-12.22.11-11.oe2003sp4.x86_64.rpm",
        "nodejs-debugsource-12.22.11-11.oe2003sp4.x86_64.rpm",
        "nodejs-devel-12.22.11-11.oe2003sp4.x86_64.rpm",
        "nodejs-full-i18n-12.22.11-11.oe2003sp4.x86_64.rpm",
        "nodejs-libs-12.22.11-11.oe2003sp4.x86_64.rpm",
        "npm-6.14.16-1.12.22.11.11.oe2003sp4.x86_64.rpm",
        "v8-devel-7.8.279.23-1.12.22.11.11.oe2003sp4.x86_64.rpm"
    ],
    "noarch": [
        "nodejs-docs-12.22.11-11.oe2003sp4.noarch.rpm"
    ],
    "src": [
        "nodejs-12.22.11-11.oe2003sp4.src.rpm"
    ],
    "aarch64": [
        "nodejs-12.22.11-11.oe2003sp4.aarch64.rpm",
        "nodejs-debuginfo-12.22.11-11.oe2003sp4.aarch64.rpm",
        "nodejs-debugsource-12.22.11-11.oe2003sp4.aarch64.rpm",
        "nodejs-devel-12.22.11-11.oe2003sp4.aarch64.rpm",
        "nodejs-full-i18n-12.22.11-11.oe2003sp4.aarch64.rpm",
        "nodejs-libs-12.22.11-11.oe2003sp4.aarch64.rpm",
        "npm-6.14.16-1.12.22.11.11.oe2003sp4.aarch64.rpm",
        "v8-devel-7.8.279.23-1.12.22.11.11.oe2003sp4.aarch64.rpm"
    ]
}

Database specific

source
"https://repo.openeuler.org/security/data/osv/OESA-2026-2820.json"