SB20260424114 - Anolis OS update for nodejs
Published: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper Access Control (CVE-ID: CVE-2026-21716)
The vulnerability allows a local user to modify file permissions and ownership.
The vulnerability exists due to improper access control in FileHandle.chmod() and FileHandle.chown() methods in the promises API when modifying file metadata. A local user can run code under --permission with restricted --allow-fs-write to use promise-based FileHandle methods and change permissions or ownership of already-open file descriptors, bypassing intended write restrictions.
This issue affects only environments using the Permission Model with --allow-fs-write intentionally restricted.
Note, the vulnerability exists due to incomplete fix for #VU93881 (CVE-2024-36137).
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-36137)
The vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to application does not properly impose security restrictions in the experimental permission model when the --allow-fs-write flag is used. A remote user can change file ownership and permissions via fs.fchown and fs.fchmod.
Remediation
Install update from vendor's website.