## This update for nodejs22 fixes the following issues: * CVE-2026-48618: tls: normalize hostname for server identity checks (bsc#1268593). * CVE-2026-48933: crypto: guard WebCrypto cipher output length (bsc#1268592). * CVE-2026-48615: lib,test: redact proxy credentials in tunnel errors (bsc#1268598). * CVE-2026-48619: http2: cap originSet size to prevent unbounded memory growth (bsc#1268618). * CVE-2026-48928: tls: fix case-sensitive SNI context matching (bsc#1268605). * CVE-2026-48930: dns,net: reject hostnames with embedded NUL bytes (bsc#1268606). * CVE-2026-48934: tls: bind reusable sessions to authenticated host (bsc#1268608). * CVE-2026-48617: permission: handle process.chdir on writereport (bsc#1268554). * CVE-2026-48931: http: fix response queue poisoning in http.Agent
* bsc#1259853
* bsc#1262274
* bsc#1266318
* bsc#1268097
* bsc#1268477
* bsc#1268479
* bsc#1268481
* bsc#1268482
* bsc#1268554
* bsc#1268555
* bsc#1268592
* bsc#1268593
* bsc#1268598
* bsc#1268605
* bsc#1268606
* bsc#1268608
* bsc#1268609
* bsc#1268611
* bsc#1268618
Cross-
* CVE-2026-11525
* CVE-2026-12151
* CVE-2026-27135
* CVE-2026-40170
* CVE-2026-42338
* CVE-2026-48615
* CVE-2026-48617
* CVE-2026-48618
* CVE-2026-48619
* CVE-2026-48928
* CVE-2026-48930
* CVE-2026-48931
* CVE-2026-48933
* CVE-2026-48934
* CVE-2026-48935
* CVE-2026-48937
* CVE-2026-6733
* CVE-2026-9496
* CVE-2026-9679
CVSS scores:
* CVE-2026-11525 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2026-11525 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Get the latest Linux and open source security news straight to your inbox.