SB20260424153 - Red Hat Enterprise Linux 9 update for the nodejs:24 module
Published: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 18 secuirty vulnerabilities.
1) Path manipulation (CVE-ID: CVE-2026-21637)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper error handling in _tls_wrap.js when processing TLS SNI handshake requests. A remote attacker can send a specially crafted request with unexpected servername input to cause an uncaught exception, crashing the Node.js process.
Exploitation occurs during TLS handshake when SNICallback is configured and throws synchronously.
2) Inefficient regular expression complexity (CVE-ID: CVE-2026-25547)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. When a remote attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process.
3) Inefficient regular expression complexity (CVE-ID: CVE-2026-26996)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions within "minimatch" function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-2581)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in DeduplicationHandler when processing deduplicated requests with large or chunked response bodies from an attacker-controlled or untrusted upstream endpoint. A remote attacker can trigger concurrent identical requests that cause response data to accumulate in memory to cause a denial of service.
Only applications with interceptors.deduplicate() enabled are vulnerable.
5) CRLF injection (CVE-ID: CVE-2026-1527)
The vulnerability allows a remote attacker to inject arbitrary HTTP headers and smuggle raw data to non-HTTP services.
The vulnerability exists due to improper neutralization of CRLF sequences in the upgrade option of client.request() when processing user-controlled input. A remote attacker can supply a specially crafted upgrade value to inject arbitrary HTTP headers and smuggle raw data to non-HTTP services.
User interaction is required because an application must pass user-controlled input to the upgrade option.
6) Improper handling of highly compressed data (CVE-ID: CVE-2026-1526)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of highly compressed data in PerMessageDeflate.decompress() when decompressing incoming WebSocket frames negotiated with the permessage-deflate extension. A remote attacker can send a specially crafted compressed WebSocket frame to cause a denial of service.
Memory exhaustion occurs in native or external memory and can cause the Node.js process to crash or become unresponsive.
7) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-2229)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper validation of specified quantity in WebSocket client permessage-deflate handling when processing a server response containing an out-of-range server_max_window_bits value followed by a compressed frame. A remote attacker can send a crafted WebSocket handshake response and compressed frame to cause a denial of service.
The issue results in an uncaught synchronous RangeError exception that terminates the Node.js process.
8) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-1525)
The vulnerability allows a remote attacker to smuggle HTTP requests.
The vulnerability exists due to inconsistent interpretation of HTTP requests in undici low-level HTTP request APIs when processing headers passed as flat arrays with case-variant duplicate Content-Length names. A remote attacker can supply specially crafted header arrays to smuggle HTTP requests.
Exploitation requires an intermediary and backend to interpret duplicate Content-Length headers inconsistently.
9) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-1528)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper validation of specified quantity in input in the ByteParser when processing a WebSocket frame with a 64-bit length field. A remote attacker can send an extremely large length value to cause a denial of service.
10) Input validation error (CVE-ID: CVE-2026-27135)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to missing state validation in the nghttp2 session handling logic when processing malformed frames after session termination has been initiated. A remote attacker can send specially crafted frames to cause a denial of service.
For PRIORITY_UPDATE and ALTSVC frames, the affected extension types must be explicitly enabled. Builds with assertions disabled may not crash under the same conditions.
11) Reachable Assertion (CVE-ID: CVE-2026-21712)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an assertion error in node_url.cc when processing malformed internationalized domain names via url.format(). A remote attacker can provide a malformed IDN with invalid characters to trigger an assertion failure in native code, crashing the Node.js process.
The flaw is in the native URL formatting logic and does not require elevated privileges.
12) Improper error handling (CVE-ID: CVE-2026-21710)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of special property names in HTTP headers in req.headersDistinct when parsing incoming HTTP requests. A remote attacker can send a request with a header named __proto__ to trigger a TypeError when the application accesses req.headersDistinct, crashing the Node.js process.
The exception occurs synchronously in a property getter and cannot be caught without wrapping every access in try/catch.
13) Improper Access Control (CVE-ID: CVE-2026-21715)
The vulnerability allows a local user to disclose file existence and resolve symlinks.
The vulnerability exists due to improper access control in fs.realpathSync.native() within the Node.js Permission Model when accessing filesystem paths. A local user can run code under --permission with restricted --allow-fs-read to use fs.realpathSync.native() and determine file existence, resolve symlink targets, and enumerate paths outside permitted directories.
This bypass affects only environments using the Permission Model with intentionally restricted filesystem read permissions.
14) Improper Access Control (CVE-ID: CVE-2026-21716)
The vulnerability allows a local user to modify file permissions and ownership.
The vulnerability exists due to improper access control in FileHandle.chmod() and FileHandle.chown() methods in the promises API when modifying file metadata. A local user can run code under --permission with restricted --allow-fs-write to use promise-based FileHandle methods and change permissions or ownership of already-open file descriptors, bypassing intended write restrictions.
This issue affects only environments using the Permission Model with --allow-fs-write intentionally restricted.
Note, the vulnerability exists due to incomplete fix for #VU93881 (CVE-2024-36137).
15) Improper Access Control (CVE-ID: CVE-2026-21711)
The vulnerability allows a local user to bypass permission restrictions.
The vulnerability exists due to improper access control in Unix Domain Socket (UDS) server operations in the Node.js Permission Model when binding or listening on UDS endpoints. A local user can run code with --permission but without --allow-net to create and expose local IPC endpoints, bypassing intended network restrictions.
This issue affects only environments using the experimental Permission Model with --allow-net intentionally omitted.
16) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-21713)
The vulnerability allows a remote attacker to potentially forge message authentication codes.
The vulnerability exists due to use of non-constant-time comparison in HMAC verification in crypto_hmac.cc when validating user-provided signatures. A remote attacker can measure timing differences during signature comparison to infer valid HMAC values, acting as a timing oracle.
Exploitation requires high-resolution timing measurements and repeated queries under a favorable threat model.
17) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-21714)
The vulnerability allows a remote attacker to cause resource exhaustion.
The vulnerability exists due to a memory leak in the HTTP/2 server implementation when processing WINDOW_UPDATE frames on stream 0. A remote attacker can send WINDOW_UPDATE frames that exceed the maximum flow control window, causing the Http2Session object to remain allocated despite sending a GOAWAY frame.
The server fails to clean up the Http2Session object after connection termination, leading to unbounded memory consumption.
18) Creation of chroot Jail Without Changing Working Directory (CVE-ID: CVE-2026-21717)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to predictable hash collisions in V8's string hashing mechanism when processing integer-like strings. A remote attacker can craft input with many colliding keys, degrading performance during JSON.parse() or other operations that internalize strings.
The most common trigger is endpoints parsing attacker-controlled JSON, leading to significant CPU and memory usage.
Remediation
Install update from vendor's website.