Main Vulnerability Database SB2026041564

SB2026041564 - Anolis OS update for nodejs

Published: April 15, 2026

Security Bulletin ID SB2026041564

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Access Control (CVE-ID: CVE-2026-21715)

The vulnerability allows a local user to disclose file existence and resolve symlinks.

The vulnerability exists due to improper access control in fs.realpathSync.native() within the Node.js Permission Model when accessing filesystem paths. A local user can run code under --permission with restricted --allow-fs-read to use fs.realpathSync.native() and determine file existence, resolve symlink targets, and enumerate paths outside permitted directories.

This bypass affects only environments using the Permission Model with intentionally restricted filesystem read permissions.

Remediation

Install update from vendor's website.

References

https://anas.openanolis.cn/errata/detail/ANSA-2026:0465

SB2026041564 - Anolis OS update for nodejs

Breakdown by Severity

Description

Remediation

References

Please verify you're human