Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 15 articles for you...
89
security advisorydenial of servicefedoraLinux 43 Nodejs22 Critical Denial of Service Vulnerability 2026-b4f830329b
Update to version 22.22.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-e3f870229a 2026-05-08 19:57:57.884168+00:00 -------------------------------------------------------------------------------- Name : nodejs22 Product : Fedora 43 Version : 22.22.2 Release : 2.fc43 URL : http://nodejs.org/ Summary : JavaScript runtime Description : Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed devices.} -------------------------------------------------------------------------------- Update Information: Update to version 22.22.2 -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 29 2026 tjuhasz - 1:22.22.2-2 - update of nghttp2 * Wed Apr 29 2026 tjuhasz - 1:22.22.2-1 - Update to version 22.22.2 (rhbz#2444849) * Mon Jan 19 2026 Jan Stan\u011bk - 1:22.22.0-3 - Diverge from rawhide -------------------------------------------------------------------------------- References: [ 1 ] Bug #2447160 - CVE-2026-1528 nodejs22: undici: Denial of Service via crafted WebSocket frame with large length [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2447160 [ 2 ] Bug #2447163 - CVE-2026-2229 nodejs22: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2447163 [ 3 ] Bug #2447170 - CVE-2026-1525 nodejs22: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2447170 [ 4 ] Bug #2447175 - CVE-2026-1527 nodejs22: Undici: HTTP header injection and request smuggling vulnerability [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2447175 [ 5 ] Bug #2447181 - CVE-2026-1526 nodejs22: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2447181 [ 6 ] Bug #2453565 - CVE-2026-21717 nodejs22: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453565 [ 7 ] Bug #2453568 - CVE-2026-21714 nodejs22: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453568 [ 8 ] Bug #2453572 - CVE-2026-21713 nodejs22: Node.js: Information disclosure via timing oracle in HMAC verification [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453572 [ 9 ] Bug #2453595 - CVE-2026-21716 nodejs22: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453595 [ 10 ] Bug #2453598 - CVE-2026-21715 nodejs22: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453598 [ 11 ] Bug #2453600 - CVE-2026-21710 nodejs22: Node.js: Denial of Service due to crafted HTTP `__proto__` header [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453600 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-e3f870229a' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Critical Denial of Service vulnerabilities in Fedora nodejs22 require immediate action. Upgrade to version 22.22.2 now.. nodejs22, Fedora, Denial of Service, security patch, software update. . Severity: Critical. LinuxSecurity.com Team
May 08, 2026
•Critical
Fedora
89
security advisorydenial of servicefedoraFedora 44 Node.js 22.22.2 Important DoS Advisory FEDORA-2026-3b76d8047d
Update to version 22.22.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-3b76d8047d 2026-05-08 19:27:40.960901+00:00 -------------------------------------------------------------------------------- Name : nodejs22 Product : Fedora 44 Version : 22.22.2 Release : 3.fc44 URL : https://nodejs.org Summary : JavaScript runtime Description : Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. -------------------------------------------------------------------------------- Update Information: Update to version 22.22.2 -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2026 tjuhasz - 1:22.22.2-3 - Rework of update of nghttp2 * Wed Apr 8 2026 tjuhasz - 1:22.22.2-2 - Update bundled nghttp2 to 1.68.1 * Wed Apr 8 2026 tjuhasz - 1:22.22.2-1 - Update to version 22.22.2 (rhbz#2444849) * Wed Apr 8 2026 tjuhasz - 1:22.22.1-1 - Update to version 22.22.1 (rhbz#2444849) * Wed Apr 8 2026 tjuhasz - 1:22.22.0-9 - Remove disablement of LTO from specfile * Wed Apr 8 2026 Andrei Radchenko - 1:22.22.0-8 - spec: remove obsolete requires -------------------------------------------------------------------------------- References: [ 1 ] Bug #2447160 - CVE-2026-1528 nodejs22: undici: Denial of Service via crafted WebSocket frame with large length [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2447160 [ 2 ] Bug #2447163 - CVE-2026-2229 nodejs22: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2447163 [ 3 ] Bug #2447170 - CVE-2026-1525 nodejs22: Undici:HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2447170 [ 4 ] Bug #2447175 - CVE-2026-1527 nodejs22: Undici: HTTP header injection and request smuggling vulnerability [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2447175 [ 5 ] Bug #2447181 - CVE-2026-1526 nodejs22: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2447181 [ 6 ] Bug #2453565 - CVE-2026-21717 nodejs22: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453565 [ 7 ] Bug #2453568 - CVE-2026-21714 nodejs22: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453568 [ 8 ] Bug #2453572 - CVE-2026-21713 nodejs22: Node.js: Information disclosure via timing oracle in HMAC verification [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453572 [ 9 ] Bug #2453595 - CVE-2026-21716 nodejs22: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453595 [ 10 ] Bug #2453598 - CVE-2026-21715 nodejs22: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453598 [ 11 ] Bug #2453600 - CVE-2026-21710 nodejs22: Node.js: Denial of Service due to crafted HTTP `__proto__` header [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453600 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisoryFEDORA-2026-3b76d8047d' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
May 08, 2026
•Important
Fedora
202
security advisoryimportantperformance issueopenSUSE 15.6 nodejs22 Important Security Update 2026-1509-1
An update that solves seven vulnerabilities can now be installed.. # Security update for nodejs22 Announcement ID: SUSE-SU-2026:1509-1 Release Date: 2026-04-21T06:27:54Z Rating: important References: * bsc#1256576 * bsc#1260455 * bsc#1260462 * bsc#1260463 * bsc#1260480 * bsc#1260482 * bsc#1260494 Cross-References: * CVE-2026-21637 * CVE-2026-21710 * CVE-2026-21713 * CVE-2026-21714 * CVE-2026-21715 * CVE-2026-21716 * CVE-2026-21717 CVSS scores: * CVE-2026-21637 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-21637 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-21637 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21637 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21710 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-21710 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21710 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21713 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2026-21713 ( SUSE ): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2026-21713 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-21714 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-21714 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21714 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-21715 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-21715 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-21715 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-21716 ( SUSE ): 2.0 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-21716 ( SUSE ): 4.4CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N * CVE-2026-21716 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N * CVE-2026-21717 ( SUSE ): 7.2 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-21717 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-21717 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * openSUSE Leap 15.6 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP6 LTSS * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves seven vulnerabilities can now be installed. ## Description: This update for nodejs22 fixes the following issues: Update to version 22.22.2. * CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for performance degradation via a crafted request (bsc#1260494). * CVE-2026-21716: incomplete fix for CVE-2024-36137 allows promise-based FileHandle methods to be used to modify file permissions and ownership on already-open file descriptors (bsc#1260462). * CVE-2026-21715: flaw in the Permission Model filesystem enforcement allows for file existence disclosure and filesystem path enumeration via `fs.realpathSync.native()` (bsc#1260482). * CVE-2026-21714: memory leak in Node.js HTTP/2 server allows for resource exhaustion via `WINDOW_UPDATE` frames sent on stream 0 (bsc#1260480). * CVE-2026-21713: timing side-channel due to flaw in Node.js HMAC verification allows for discovery of HMAC values and potential MAC forgery (bsc#1260463). * CVE-2026-21710: uncaught `TypeError` when handling HTTP requests allows for a process crash via requests with a header named `__proto__` when the application accesses `req.headersDistinct` (bsc#1260455). * CVE-2026-21637: flaw in TLS error handling allows for resource exhaustion and crash when `pskCallback` or `ALPNCallback` are in use (bsc#1256576). ## Patch Instructions: To installthis SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch SUSE-2026-1509=1 * SUSE Linux Enterprise Server 15 SP6 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1509=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1509=1 ## Package List: * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586) * npm22-22.22.2-150600.13.15.1 * nodejs22-debugsource-22.22.2-150600.13.15.1 * nodejs22-22.22.2-150600.13.15.1 * corepack22-22.22.2-150600.13.15.1 * nodejs22-devel-22.22.2-150600.13.15.1 * nodejs22-debuginfo-22.22.2-150600.13.15.1 * openSUSE Leap 15.6 (noarch) * nodejs22-docs-22.22.2-150600.13.15.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64) * npm22-22.22.2-150600.13.15.1 * nodejs22-debugsource-22.22.2-150600.13.15.1 * nodejs22-22.22.2-150600.13.15.1 * nodejs22-devel-22.22.2-150600.13.15.1 * nodejs22-debuginfo-22.22.2-150600.13.15.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (noarch) * nodejs22-docs-22.22.2-150600.13.15.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64) * npm22-22.22.2-150600.13.15.1 * nodejs22-debugsource-22.22.2-150600.13.15.1 * nodejs22-22.22.2-150600.13.15.1 * nodejs22-devel-22.22.2-150600.13.15.1 * nodejs22-debuginfo-22.22.2-150600.13.15.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch) * nodejs22-docs-22.22.2-150600.13.15.1 ## References: * https://www.suse.com/security/cve/CVE-2026-21637.html * https://www.suse.com/security/cve/CVE-2026-21710.html * https://www.suse.com/security/cve/CVE-2026-21713.html * https://www.suse.com/security/cve/CVE-2026-21714.html * https://www.suse.com/security/cve/CVE-2026-21715.html *https://www.suse.com/security/cve/CVE-2026-21716.html * https://www.suse.com/security/cve/CVE-2026-21717.html * https://bugzilla.suse.com/show_bug.cgi?id=1256576 * https://bugzilla.suse.com/show_bug.cgi?id=1260455 * https://bugzilla.suse.com/show_bug.cgi?id=1260462 * https://bugzilla.suse.com/show_bug.cgi?id=1260463 * https://bugzilla.suse.com/show_bug.cgi?id=1260480 * https://bugzilla.suse.com/show_bug.cgi?id=1260482 * https://bugzilla.suse.com/show_bug.cgi?id=1260494 . Update for nodejs22 in openSUSE addresses seven critical security issues requiring immediate attention and fixes.. SUSE nodejs22 update important security patch vulnerabilities. . Severity: Important. LinuxSecurity.com Team
Apr 21, 2026
•Important
OpenSUSE
100
security advisorySuSEimportantSUSE nodejs22 Important Resource Degradation Fix Advisory 2026-1509-1
An update that solves seven vulnerabilities can now be installed.. # Security update for nodejs22 Announcement ID: SUSE-SU-2026:1509-1 Release Date: 2026-04-21T06:27:54Z Rating: important References: * bsc#1256576 * bsc#1260455 * bsc#1260462 * bsc#1260463 * bsc#1260480 * bsc#1260482 * bsc#1260494 Cross-References: * CVE-2026-21637 * CVE-2026-21710 * CVE-2026-21713 * CVE-2026-21714 * CVE-2026-21715 * CVE-2026-21716 * CVE-2026-21717 CVSS scores: * CVE-2026-21637 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-21637 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-21637 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21637 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21710 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-21710 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21710 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21713 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2026-21713 ( SUSE ): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2026-21713 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-21714 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-21714 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21714 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-21715 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-21715 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-21715 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-21716 ( SUSE ): 2.0 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-21716 ( SUSE ): 4.4CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N * CVE-2026-21716 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N * CVE-2026-21717 ( SUSE ): 7.2 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-21717 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-21717 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * openSUSE Leap 15.6 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP6 LTSS * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves seven vulnerabilities can now be installed. ## Description: This update for nodejs22 fixes the following issues: Update to version 22.22.2. * CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for performance degradation via a crafted request (bsc#1260494). * CVE-2026-21716: incomplete fix for CVE-2024-36137 allows promise-based FileHandle methods to be used to modify file permissions and ownership on already-open file descriptors (bsc#1260462). * CVE-2026-21715: flaw in the Permission Model filesystem enforcement allows for file existence disclosure and filesystem path enumeration via `fs.realpathSync.native()` (bsc#1260482). * CVE-2026-21714: memory leak in Node.js HTTP/2 server allows for resource exhaustion via `WINDOW_UPDATE` frames sent on stream 0 (bsc#1260480). * CVE-2026-21713: timing side-channel due to flaw in Node.js HMAC verification allows for discovery of HMAC values and potential MAC forgery (bsc#1260463). * CVE-2026-21710: uncaught `TypeError` when handling HTTP requests allows for a process crash via requests with a header named `__proto__` when the application accesses `req.headersDistinct` (bsc#1260455). * CVE-2026-21637: flaw in TLS error handling allows for resource exhaustion and crash when `pskCallback` or `ALPNCallback` are in use (bsc#1256576). ## Patch Instructions: To installthis SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch SUSE-2026-1509=1 * SUSE Linux Enterprise Server 15 SP6 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1509=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1509=1 ## Package List: * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586) * npm22-22.22.2-150600.13.15.1 * nodejs22-debugsource-22.22.2-150600.13.15.1 * nodejs22-22.22.2-150600.13.15.1 * corepack22-22.22.2-150600.13.15.1 * nodejs22-devel-22.22.2-150600.13.15.1 * nodejs22-debuginfo-22.22.2-150600.13.15.1 * openSUSE Leap 15.6 (noarch) * nodejs22-docs-22.22.2-150600.13.15.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64) * npm22-22.22.2-150600.13.15.1 * nodejs22-debugsource-22.22.2-150600.13.15.1 * nodejs22-22.22.2-150600.13.15.1 * nodejs22-devel-22.22.2-150600.13.15.1 * nodejs22-debuginfo-22.22.2-150600.13.15.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (noarch) * nodejs22-docs-22.22.2-150600.13.15.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64) * npm22-22.22.2-150600.13.15.1 * nodejs22-debugsource-22.22.2-150600.13.15.1 * nodejs22-22.22.2-150600.13.15.1 * nodejs22-devel-22.22.2-150600.13.15.1 * nodejs22-debuginfo-22.22.2-150600.13.15.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch) * nodejs22-docs-22.22.2-150600.13.15.1 ## References: * https://www.suse.com/security/cve/CVE-2026-21637.html * https://www.suse.com/security/cve/CVE-2026-21710.html * https://www.suse.com/security/cve/CVE-2026-21713.html * https://www.suse.com/security/cve/CVE-2026-21714.html * https://www.suse.com/security/cve/CVE-2026-21715.html *https://www.suse.com/security/cve/CVE-2026-21716.html * https://www.suse.com/security/cve/CVE-2026-21717.html * https://bugzilla.suse.com/show_bug.cgi?id=1256576 * https://bugzilla.suse.com/show_bug.cgi?id=1260455 * https://bugzilla.suse.com/show_bug.cgi?id=1260462 * https://bugzilla.suse.com/show_bug.cgi?id=1260463 * https://bugzilla.suse.com/show_bug.cgi?id=1260480 * https://bugzilla.suse.com/show_bug.cgi?id=1260482 * https://bugzilla.suse.com/show_bug.cgi?id=1260494 . Update for nodejs22 addresses seven important flaws affecting SUSE systems with specific patch instructions included.. nodejs update, SUSE vulnerabilities, system security, service patch, software maintenance. . Severity: Important. LinuxSecurity.com Team
Apr 21, 2026
•Important
SuSE
100
security advisorySuSEimportantSUSE 15 SP7 Nodejs22 Important Security Update 2026-1478-1
An update that solves seven vulnerabilities can now be installed.. # Security update for nodejs22 Announcement ID: SUSE-SU-2026:1478-1 Release Date: 2026-04-20T10:09:08Z Rating: important References: * bsc#1256576 * bsc#1260455 * bsc#1260462 * bsc#1260463 * bsc#1260480 * bsc#1260482 * bsc#1260494 Cross-References: * CVE-2026-21637 * CVE-2026-21710 * CVE-2026-21713 * CVE-2026-21714 * CVE-2026-21715 * CVE-2026-21716 * CVE-2026-21717 CVSS scores: * CVE-2026-21637 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2026-21637 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-21637 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21637 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21710 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-21710 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21710 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21713 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2026-21713 ( SUSE ): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2026-21713 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-21714 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-21714 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21714 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-21715 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-21715 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-21715 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-21716 ( SUSE ): 2.0 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-21716 ( SUSE ): 4.4CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N * CVE-2026-21716 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N * CVE-2026-21717 ( SUSE ): 7.2 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-21717 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-21717 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * Web and Scripting Module 15-SP7 An update that solves seven vulnerabilities can now be installed. ## Description: This update for nodejs22 fixes the following issues: Update to version 22.22.2. * CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for performance degradation via a crafted request (bsc#1260494). * CVE-2026-21716: incomplete fix for CVE-2024-36137 allows promise-based FileHandle methods to be used to modify file permissions and ownership on already-open file descriptors (bsc#1260462). * CVE-2026-21715: flaw in the Permission Model filesystem enforcement allows for file existence disclosure and filesystem path enumeration via `fs.realpathSync.native()` (bsc#1260482). * CVE-2026-21714: memory leak in Node.js HTTP/2 server allows for resource exhaustion via `WINDOW_UPDATE` frames sent on stream 0 (bsc#1260480). * CVE-2026-21713: timing side-channel due to flaw in Node.js HMAC verification allows for discovery of HMAC values and potential MAC forgery (bsc#1260463). * CVE-2026-21710: uncaught `TypeError` when handling HTTP requests allows for a process crash via requests with a header named `__proto__` when the application accesses `req.headersDistinct` (bsc#1260455). * CVE-2026-21637: flaw in TLS error handling allows for resource exhaustion and crash when `pskCallback` or `ALPNCallback` are in use (bsc#1256576). ## Patch Instructions: To install this SUSE update use the SUSErecommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Web and Scripting Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1478=1 ## Package List: * Web and Scripting Module 15-SP7 (aarch64 ppc64le s390x x86_64) * nodejs22-devel-22.22.2-150700.3.9.1 * nodejs22-debuginfo-22.22.2-150700.3.9.1 * nodejs22-debugsource-22.22.2-150700.3.9.1 * nodejs22-22.22.2-150700.3.9.1 * npm22-22.22.2-150700.3.9.1 * Web and Scripting Module 15-SP7 (noarch) * nodejs22-docs-22.22.2-150700.3.9.1 ## References: * https://www.suse.com/security/cve/CVE-2026-21637.html * https://www.suse.com/security/cve/CVE-2026-21710.html * https://www.suse.com/security/cve/CVE-2026-21713.html * https://www.suse.com/security/cve/CVE-2026-21714.html * https://www.suse.com/security/cve/CVE-2026-21715.html * https://www.suse.com/security/cve/CVE-2026-21716.html * https://www.suse.com/security/cve/CVE-2026-21717.html * https://bugzilla.suse.com/show_bug.cgi?id=1256576 * https://bugzilla.suse.com/show_bug.cgi?id=1260455 * https://bugzilla.suse.com/show_bug.cgi?id=1260462 * https://bugzilla.suse.com/show_bug.cgi?id=1260463 * https://bugzilla.suse.com/show_bug.cgi?id=1260480 * https://bugzilla.suse.com/show_bug.cgi?id=1260482 * https://bugzilla.suse.com/show_bug.cgi?id=1260494 . Seven vulnerabilities in nodejs22 for SUSE can now be addressed with the latest important update released on 2026-04-20.. nodejs22 update SUSE vulnerabilities. . Severity: Important. LinuxSecurity.com Team
Apr 20, 2026
•Important
SuSE
219
security advisorydenial of serviceupdateRocky Linux 10 nodejs22 Important Denial of Service RLSA-2026-7080
Important: nodejs22 security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2026:7080", "synopsis": "Important: nodejs22 security update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for nodejs22.\nThis update affects Rocky Linux 10.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "Node.js is a platform built on Chrome's JavaScript runtime \\ for easily building fast, scalable network applications. \\ Node.js uses an event-driven, non-blocking I/O model that \\ makes it lightweight and efficient, perfect for data-intensive \\ real-time applications that run across distributed devices.\n\nSecurity Fix(es):\n\n* brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)\n\n* minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)\n\n* minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)\n\n* undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)\n\n* undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)\n\n* undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)\n\n* undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)\n\n* nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)\n\n* Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 10"], "fixes":[{"ticket": "2447142", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2447142", "description": ""}, {"ticket": "2442922", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2442922", "description": ""}, {"ticket": "2447144", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2447144", "description": ""}, {"ticket": "2441268", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2441268", "description": ""}, {"ticket": "2448754", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2448754", "description": ""}, {"ticket": "2447143", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2447143", "description": ""}, {"ticket": "2436942", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2436942", "description": ""}, {"ticket": "2453151", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2453151", "description": ""}, {"ticket": "2447145", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2447145", "description": ""}], "cves": [{"name": "CVE-2026-1525", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-1525", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "cvss3BaseScore": "7.3", "cwe": "CWE-444"}, {"name": "CVE-2026-1526", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-1526", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-770"}, {"name": "CVE-2026-1528", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-1528", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-248"}, {"name": "CVE-2026-21710", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-21710", "cvss3ScoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-843"}, {"name": "CVE-2026-2229", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-2229", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-248"}, {"name": "CVE-2026-25547", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-25547", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cvss3BaseScore": "6.5", "cwe": "CWE-409"}, {"name": "CVE-2026-26996", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-26996", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cvss3BaseScore": "6.5", "cwe": "CWE-1333"}, {"name": "CVE-2026-27135", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-27135", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-617"}, {"name": "CVE-2026-27904", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-27904", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cvss3BaseScore": "6.5", "cwe": "CWE-1333"}], "references": [], "publishedAt": "2026-04-12T06:07:10.449425Z", "rpms": {"Rocky Linux 10": {"nvras": ["nodejs-libs-debuginfo-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-full-i18n-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-full-i18n-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-debuginfo-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-libs-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs22-1:22.22.2-1.el10_1.src.rpm", "nodejs22-debugsource-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs-libs-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs22-debugsource-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-devel-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-debuginfo-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-devel-1:22.22.2-1.el10_1.ppc64le.rpm","nodejs-docs-1:22.22.2-1.el10_1.noarch.rpm", "nodejs-full-i18n-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs22-debuginfo-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs22-debugsource-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs22-debuginfo-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-devel-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs22-debugsource-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs22-debuginfo-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs-debuginfo-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-libs-debuginfo-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-libs-1:22.22.2-1.el10_1.s390x.rpm", "nodejs22-debuginfo-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-libs-debuginfo-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.ppc64le.rpm", "nodejs-debuginfo-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.s390x.rpm", "nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.aarch64.rpm", "nodejs-devel-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-full-i18n-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-libs-debuginfo-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.x86_64.rpm", "nodejs-libs-1:22.22.2-1.el10_1.x86_64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Critical nodejs22 security update for Rocky Linux addressing several Denial of Service issues and others.. Rocky Linux nodejs22 Denial of Service CVSS score patch. . Severity: Important. LinuxSecurity.com Team
Apr 12, 2026
•Important
Rocky Linux
219
security advisorydenial of servicesecurity updateRocky Linux 10 RLSA-2026-7100 Nodejs25 Major System Interruption
Important: nodejs22 security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2026:7080", "synopsis": "Important: nodejs22 security update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for nodejs22.\nThis update affects Rocky Linux 10.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "Node.js is a platform built on Chrome's JavaScript runtime \\ for easily building fast, scalable network applications. \\ Node.js uses an event-driven, non-blocking I/O model that \\ makes it lightweight and efficient, perfect for data-intensive \\ real-time applications that run across distributed devices.\n\nSecurity Fix(es):\n\n* brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)\n\n* minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)\n\n* minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)\n\n* undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)\n\n* undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)\n\n* undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)\n\n* undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)\n\n* nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)\n\n* Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 10"], "fixes":[{"ticket": "2447142", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2447142", "description": ""}, {"ticket": "2442922", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2442922", "description": ""}, {"ticket": "2447144", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2447144", "description": ""}, {"ticket": "2441268", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2441268", "description": ""}, {"ticket": "2448754", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2448754", "description": ""}, {"ticket": "2447143", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2447143", "description": ""}, {"ticket": "2436942", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2436942", "description": ""}, {"ticket": "2453151", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2453151", "description": ""}, {"ticket": "2447145", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2447145", "description": ""}], "cves": [{"name": "CVE-2026-1525", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-1525", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "cvss3BaseScore": "7.3", "cwe": "CWE-444"}, {"name": "CVE-2026-1526", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-1526", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-770"}, {"name": "CVE-2026-1528", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-1528", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-248"}, {"name": "CVE-2026-21710", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-21710", "cvss3ScoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-843"}, {"name": "CVE-2026-2229", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-2229", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-248"}, {"name": "CVE-2026-25547", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-25547", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cvss3BaseScore": "6.5", "cwe": "CWE-409"}, {"name": "CVE-2026-26996", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-26996", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cvss3BaseScore": "6.5", "cwe": "CWE-1333"}, {"name": "CVE-2026-27135", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-27135", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-617"}, {"name": "CVE-2026-27904", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-27904", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cvss3BaseScore": "6.5", "cwe": "CWE-1333"}], "references": [], "publishedAt": "2026-04-12T06:07:10.449425Z", "rpms": {"Rocky Linux 10": {"nvras": ["nodejs-libs-debuginfo-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-full-i18n-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-full-i18n-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-debuginfo-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-libs-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs22-1:22.22.2-1.el10_1.src.rpm", "nodejs22-debugsource-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs-libs-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs22-debugsource-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-devel-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-debuginfo-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-devel-1:22.22.2-1.el10_1.ppc64le.rpm","nodejs-docs-1:22.22.2-1.el10_1.noarch.rpm", "nodejs-full-i18n-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs22-debuginfo-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs22-debugsource-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs22-debuginfo-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-devel-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs22-debugsource-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs22-debuginfo-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs-debuginfo-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-libs-debuginfo-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-libs-1:22.22.2-1.el10_1.s390x.rpm", "nodejs22-debuginfo-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-libs-debuginfo-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.ppc64le.rpm", "nodejs-debuginfo-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.s390x.rpm", "nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.aarch64.rpm", "nodejs-devel-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-full-i18n-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-libs-debuginfo-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.x86_64.rpm", "nodejs-libs-1:22.22.2-1.el10_1.x86_64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Important security update available for nodejs22 in Rocky Linux 10. Ensure your systems are protected against DoS attacks.. Rocky Linux,nodejs22,security patch,Denial of Service. . Severity: Important. LinuxSecurity.com Team
Apr 12, 2026
•Important
Rocky Linux
219
security advisorysecurity updateDoSRocky Linux 10 RLSA-2026-7104 nodejs27 Severe Security Alert Update
Important: nodejs22 security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2026:7080", "synopsis": "Important: nodejs22 security update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for nodejs22.\nThis update affects Rocky Linux 10.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "Node.js is a platform built on Chrome's JavaScript runtime \\ for easily building fast, scalable network applications. \\ Node.js uses an event-driven, non-blocking I/O model that \\ makes it lightweight and efficient, perfect for data-intensive \\ real-time applications that run across distributed devices.\n\nSecurity Fix(es):\n\n* brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)\n\n* minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)\n\n* minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)\n\n* undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)\n\n* undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)\n\n* undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)\n\n* undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)\n\n* nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)\n\n* Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 10"], "fixes":[{"ticket": "2447142", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2447142", "description": ""}, {"ticket": "2442922", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2442922", "description": ""}, {"ticket": "2447144", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2447144", "description": ""}, {"ticket": "2441268", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2441268", "description": ""}, {"ticket": "2448754", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2448754", "description": ""}, {"ticket": "2447143", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2447143", "description": ""}, {"ticket": "2436942", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2436942", "description": ""}, {"ticket": "2453151", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2453151", "description": ""}, {"ticket": "2447145", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2447145", "description": ""}], "cves": [{"name": "CVE-2026-1525", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-1525", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "cvss3BaseScore": "7.3", "cwe": "CWE-444"}, {"name": "CVE-2026-1526", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-1526", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-770"}, {"name": "CVE-2026-1528", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-1528", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-248"}, {"name": "CVE-2026-21710", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-21710", "cvss3ScoringVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-843"}, {"name": "CVE-2026-2229", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-2229", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-248"}, {"name": "CVE-2026-25547", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-25547", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cvss3BaseScore": "6.5", "cwe": "CWE-409"}, {"name": "CVE-2026-26996", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-26996", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cvss3BaseScore": "6.5", "cwe": "CWE-1333"}, {"name": "CVE-2026-27135", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-27135", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-617"}, {"name": "CVE-2026-27904", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-27904", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cvss3BaseScore": "6.5", "cwe": "CWE-1333"}], "references": [], "publishedAt": "2026-04-12T06:07:10.449425Z", "rpms": {"Rocky Linux 10": {"nvras": ["nodejs-libs-debuginfo-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-full-i18n-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-full-i18n-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-debuginfo-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-libs-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs22-1:22.22.2-1.el10_1.src.rpm", "nodejs22-debugsource-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs-libs-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs22-debugsource-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-devel-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-debuginfo-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-devel-1:22.22.2-1.el10_1.ppc64le.rpm","nodejs-docs-1:22.22.2-1.el10_1.noarch.rpm", "nodejs-full-i18n-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs22-debuginfo-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs22-debugsource-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs22-debuginfo-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-devel-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs22-debugsource-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs22-debuginfo-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs-debuginfo-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-libs-debuginfo-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-libs-1:22.22.2-1.el10_1.s390x.rpm", "nodejs22-debuginfo-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-libs-debuginfo-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.ppc64le.rpm", "nodejs-debuginfo-1:22.22.2-1.el10_1.ppc64le.rpm", "nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.s390x.rpm", "nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.aarch64.rpm", "nodejs-devel-1:22.22.2-1.el10_1.s390x.rpm", "nodejs-full-i18n-1:22.22.2-1.el10_1.aarch64.rpm", "nodejs-libs-debuginfo-1:22.22.2-1.el10_1.x86_64.rpm", "nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.x86_64.rpm", "nodejs-libs-1:22.22.2-1.el10_1.x86_64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. A crucial security update for nodejs22 is now available in Rocky Linux to address various DoS threats and improve safety.. Rocky Linux,nodejs22,security update,important,Denial of Service. . Severity: Important. LinuxSecurity.com Team
Apr 12, 2026
•Important
Rocky Linux
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!