RLSA-2026:7675

See a problem?
Please try reporting it to the source first.
Source
https://errata.rockylinux.org/RLSA-2026:7675
Import Source
https://storage.googleapis.com/resf-osv-data/RLSA-2026:7675.json
JSON Data
https://api.osv.dev/v1/vulns/RLSA-2026:7675
Upstream
  • CVE-2026-21710
  • CVE-2026-21711
  • CVE-2026-21712
  • CVE-2026-21713
  • CVE-2026-21714
  • CVE-2026-21715
  • CVE-2026-21716
  • CVE-2026-21717
Published
2026-04-15T12:07:10.074197Z
Modified
2026-04-15T12:30:34.977687Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Important: nodejs24 security update
Details

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

Security Fix(es):

  • nodejs: Nodejs denial of service (CVE-2026-21637)

  • brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)

  • minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)

  • undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581)

  • undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527)

  • undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)

  • undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)

  • undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)

  • undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)

  • nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)

  • Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712)

  • Node.js: Node.js: Denial of Service due to crafted HTTP __proto__ header (CVE-2026-21710)

  • Node.js: Node.js: Information disclosure due to fs.realpathSync.native() bypassing filesystem read restrictions (CVE-2026-21715)

  • nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716)

  • Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711)

  • Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713)

  • Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714)

  • nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References
Credits
    • Rocky Enterprise Software Foundation
    • Red Hat

Affected packages

Rocky Linux:10 / nodejs24

Package

Name
nodejs24
Purl
pkg:rpm/rocky-linux/nodejs24?distro=rocky-linux-10&epoch=1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:24.14.1-2.el10_1
Database specific 
{
    "yum_repository": "AppStream"
}

Database specific

source 
"https://storage.googleapis.com/resf-osv-data/RLSA-2026:7675.json"