## This update for nodejs24 fixes the following issues: * Update to 24.14.1 * CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576). * CVE-2026-21710: uncaught TypeError exception can cause a denial of service (bsc#1260455). * CVE-2026-21712: malformed URL format can lead to a crash (bsc#1260460). * CVE-2026-21713: timing side-channel in HMAC verification via memcmp can lead to potential MAC forgery (bsc#1260463). * CVE-2026-21714: WINDOW_UPDATE frames on stream 0 can lead to memory leak (bsc#1260480). * CVE-2026-21715: permission model bypass in realpathSync.native can allow file existence disclosure (bsc#1260482). * CVE-2026-21716: promise-based FileHandle methods can be used to modify file
* bsc#1256572
* bsc#1256576
* bsc#1260455
* bsc#1260460
* bsc#1260462
* bsc#1260463
* bsc#1260480
* bsc#1260482
* bsc#1260494
Cross-
* CVE-2025-59464
* CVE-2026-21637
* CVE-2026-21710
* CVE-2026-21712
* CVE-2026-21713
* CVE-2026-21714
* CVE-2026-21715
* CVE-2026-21716
* CVE-2026-21717
CVSS scores:
* CVE-2025-59464 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-59464 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-59464 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-59464 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-21637 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Get the latest Linux and open source security news straight to your inbox.