SB20260424155 - Red Hat Enterprise Linux 9 update for the nodejs:22 module

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260424155

SB20260424155 - Red Hat Enterprise Linux 9 update for the nodejs:22 module

Published: April 24, 2026

Security Bulletin ID SB20260424155
Severity
Medium
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 78% Low 22%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 secuirty vulnerabilities.


1) Inefficient regular expression complexity (CVE-ID: CVE-2026-25547)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. When a remote attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process.


2) Inefficient regular expression complexity (CVE-ID: CVE-2026-26996)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions within "minimatch" function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


3) Inefficient regular expression complexity (CVE-ID: CVE-2026-27904)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


4) Improper handling of highly compressed data (CVE-ID: CVE-2026-1526)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of highly compressed data in PerMessageDeflate.decompress() when decompressing incoming WebSocket frames negotiated with the permessage-deflate extension. A remote attacker can send a specially crafted compressed WebSocket frame to cause a denial of service.

Memory exhaustion occurs in native or external memory and can cause the Node.js process to crash or become unresponsive.


5) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-2229)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper validation of specified quantity in WebSocket client permessage-deflate handling when processing a server response containing an out-of-range server_max_window_bits value followed by a compressed frame. A remote attacker can send a crafted WebSocket handshake response and compressed frame to cause a denial of service.

The issue results in an uncaught synchronous RangeError exception that terminates the Node.js process.


6) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-1525)

The vulnerability allows a remote attacker to smuggle HTTP requests.

The vulnerability exists due to inconsistent interpretation of HTTP requests in undici low-level HTTP request APIs when processing headers passed as flat arrays with case-variant duplicate Content-Length names. A remote attacker can supply specially crafted header arrays to smuggle HTTP requests.

Exploitation requires an intermediary and backend to interpret duplicate Content-Length headers inconsistently.


7) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-1528)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper validation of specified quantity in input in the ByteParser when processing a WebSocket frame with a 64-bit length field. A remote attacker can send an extremely large length value to cause a denial of service.


8) Input validation error (CVE-ID: CVE-2026-27135)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to missing state validation in the nghttp2 session handling logic when processing malformed frames after session termination has been initiated. A remote attacker can send specially crafted frames to cause a denial of service.

For PRIORITY_UPDATE and ALTSVC frames, the affected extension types must be explicitly enabled. Builds with assertions disabled may not crash under the same conditions.


9) Improper error handling (CVE-ID: CVE-2026-21710)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of special property names in HTTP headers in req.headersDistinct when parsing incoming HTTP requests. A remote attacker can send a request with a header named __proto__ to trigger a TypeError when the application accesses req.headersDistinct, crashing the Node.js process.

The exception occurs synchronously in a property getter and cannot be caught without wrapping every access in try/catch.


Remediation

Install update from vendor's website.

References