SB2026050418 - Fedora 42 update for nodejs20
Published: May 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Creation of chroot Jail Without Changing Working Directory (CVE-ID: CVE-2026-21717)
CWE-ID: CWE-243 - Creation of chroot Jail Without Changing Working Directory
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to predictable hash collisions in V8's string hashing mechanism when processing integer-like strings. A remote attacker can craft input with many colliding keys, degrading performance during JSON.parse() or other operations that internalize strings.
The most common trigger is endpoints parsing attacker-controlled JSON, leading to significant CPU and memory usage.
2) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-21714)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause resource exhaustion.
The vulnerability exists due to a memory leak in the HTTP/2 server implementation when processing WINDOW_UPDATE frames on stream 0. A remote attacker can send WINDOW_UPDATE frames that exceed the maximum flow control window, causing the Http2Session object to remain allocated despite sending a GOAWAY frame.
The server fails to clean up the Http2Session object after connection termination, leading to unbounded memory consumption.
3) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-21713)
CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to potentially forge message authentication codes.
The vulnerability exists due to use of non-constant-time comparison in HMAC verification in crypto_hmac.cc when validating user-provided signatures. A remote attacker can measure timing differences during signature comparison to infer valid HMAC values, acting as a timing oracle.
Exploitation requires high-resolution timing measurements and repeated queries under a favorable threat model.
4) Improper Access Control (CVE-ID: CVE-2026-21716)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to modify file permissions and ownership.
The vulnerability exists due to improper access control in FileHandle.chmod() and FileHandle.chown() methods in the promises API when modifying file metadata. A local user can run code under --permission with restricted --allow-fs-write to use promise-based FileHandle methods and change permissions or ownership of already-open file descriptors, bypassing intended write restrictions.
This issue affects only environments using the Permission Model with --allow-fs-write intentionally restricted.
Note, the vulnerability exists due to incomplete fix for #VU93881 (CVE-2024-36137).
5) Improper Access Control (CVE-ID: CVE-2026-21715)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose file existence and resolve symlinks.
The vulnerability exists due to improper access control in fs.realpathSync.native() within the Node.js Permission Model when accessing filesystem paths. A local user can run code under --permission with restricted --allow-fs-read to use fs.realpathSync.native() and determine file existence, resolve symlink targets, and enumerate paths outside permitted directories.
This bypass affects only environments using the Permission Model with intentionally restricted filesystem read permissions.
6) Improper error handling (CVE-ID: CVE-2026-21710)
CWE-ID: CWE-388 - Error Handling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of special property names in HTTP headers in req.headersDistinct when parsing incoming HTTP requests. A remote attacker can send a request with a header named __proto__ to trigger a TypeError when the application accesses req.headersDistinct, crashing the Node.js process.
The exception occurs synchronously in a property getter and cannot be caught without wrapping every access in try/catch.
Remediation
Install update from vendor's website.