## This update for nodejs22 fixes the following issues Update to 22.23.0: * CVE-2026-6733: undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery (bsc#1268479). * CVE-2026-9496: pacote: excessive CPU consumption in `addGitSha` when processing a specially crafted `spec.rawSpec` value can lead to DoS (bsc#1266318). * CVE-2026-9679: undici: undici vulnerable to HTTP header injection via Set- Cookie percent-decoding (bsc#1268477). * CVE-2026-11525: undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (bsc#1268481). * CVE-2026-12151: undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (bsc#1268482).
* bsc#1256576
* bsc#1259853
* bsc#1260455
* bsc#1260462
* bsc#1260463
* bsc#1260480
* bsc#1260482
* bsc#1260494
* bsc#1262274
* bsc#1266318
* bsc#1268097
* bsc#1268477
* bsc#1268479
* bsc#1268481
* bsc#1268482
* bsc#1268554
* bsc#1268555
* bsc#1268592
* bsc#1268593
* bsc#1268598
* bsc#1268605
* bsc#1268606
* bsc#1268608
* bsc#1268609
* bsc#1268611
* bsc#1268618
Cross-
* CVE-2026-11525
* CVE-2026-12151
* CVE-2026-21637
* CVE-2026-21710
* CVE-2026-21713
* CVE-2026-21714
* CVE-2026-21715
* CVE-2026-21716
* CVE-2026-21717
* CVE-2026-27135
* CVE-2026-40170
* CVE-2026-42338
* CVE-2026-48615
* CVE-2026-48617
* CVE-2026-48618
* CVE-2026-48619
* CVE-2026-48928
* CVE-2026-48930
* CVE-2026-48931
* CVE-2026-48933
* CVE-2026-48934
* CVE-2026-48935
* CVE-2026-48937
* CVE-2026-6733
* CVE-2026-9496
Get the latest Linux and open source security news straight to your inbox.