SB2026070631 - openEuler 20.03 LTS SP4 update for nodejs



SB2026070631 - openEuler 20.03 LTS SP4 update for nodejs

Published: July 6, 2026

Security Bulletin ID SB2026070631
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

High 33% Medium 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Uncaught Exception (CVE-ID: CVE-2025-59465)

CWE-ID: CWE-248 - Uncaught Exception

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper error handling in the HTTP/2 server when receiving a malformed HEADERS frame with oversized invalid HPACK data. A remote attacker can send a specially crafted HTTP/2 HEADERS frame to cause a denial of service.

This primarily affects applications that do not attach explicit error handlers to secure sockets.


2) Path manipulation (CVE-ID: CVE-2026-21637)

CWE-ID: CWE-249 - DEPRECATED: Often Misused: Path Manipulation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper error handling in _tls_wrap.js when processing TLS SNI handshake requests. A remote attacker can send a specially crafted request with unexpected servername input to cause an uncaught exception, crashing the Node.js process.

Exploitation occurs during TLS handshake when SNICallback is configured and throws synchronously.


3) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-21714)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause resource exhaustion.

The vulnerability exists due to a memory leak in the HTTP/2 server implementation when processing WINDOW_UPDATE frames on stream 0. A remote attacker can send WINDOW_UPDATE frames that exceed the maximum flow control window, causing the Http2Session object to remain allocated despite sending a GOAWAY frame.

The server fails to clean up the Http2Session object after connection termination, leading to unbounded memory consumption.


Remediation

Install update from vendor's website.