[Apollo] Advisories Statistics light light Login

RLSA-2026:35842

Security Mirrored from RHSA-2026:35842
Issued at: 2026-07-08
Updated at: 2026-07-08

Synopsis

Important: nodejs22 security, bug fix, and enhancement update



Description

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed devices.

Security Fix(es):

* ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338)

* undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151)

* undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678)

* undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733)

* undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525)

* nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619)

* nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930)

* nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935)

* nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933)

* nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934)

* Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928)

* nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615)

* nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618)

Bug Fix(es) and Enhancement(s):

* nodejs22: Rebase to the latest Node.js 22 release [rhel-10.2.z] (JIRA:Rocky Linux-186623)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Affected products

Rocky Linux 10 aarch64 Rocky Linux 10 ppc64le Rocky Linux 10 riscv64 Rocky Linux 10 s390x Rocky Linux 10 x86_64

Fixes

2490006 2476810 2490008 2493333 2493329 2493335 2493331 2489980 2493332 2490000 2493326 2493325 2493337

CVEs

CVE-2026-11525 CVE-2026-12151 CVE-2026-42338 CVE-2026-48615 CVE-2026-48618 CVE-2026-48619 CVE-2026-48928 CVE-2026-48930 CVE-2026-48933 CVE-2026-48934 CVE-2026-48935 CVE-2026-6733 CVE-2026-9678

Affected packages

Rocky Linux 10 aarch64 - AppStream

nodejs-full-i18n-1:22.23.1-2.el10_2.aarch64.rpm nodejs-libs-debuginfo-1:22.23.1-2.el10_2.aarch64.rpm nodejs-devel-1:22.23.1-2.el10_2.aarch64.rpm nodejs22-debuginfo-1:22.23.1-2.el10_2.aarch64.rpm nodejs-docs-1:22.23.1-2.el10_2.noarch.rpm nodejs22-debugsource-1:22.23.1-2.el10_2.aarch64.rpm nodejs-libs-1:22.23.1-2.el10_2.aarch64.rpm nodejs-1:22.23.1-2.el10_2.aarch64.rpm nodejs-debuginfo-1:22.23.1-2.el10_2.aarch64.rpm nodejs-npm-1:10.9.8-1.22.23.1.2.el10_2.aarch64.rpm nodejs22-1:22.23.1-2.el10_2.src.rpm

Rocky Linux 10 s390x - AppStream

nodejs-libs-debuginfo-1:22.23.1-2.el10_2.s390x.rpm nodejs-1:22.23.1-2.el10_2.s390x.rpm nodejs22-debugsource-1:22.23.1-2.el10_2.s390x.rpm nodejs-debuginfo-1:22.23.1-2.el10_2.s390x.rpm nodejs-docs-1:22.23.1-2.el10_2.noarch.rpm nodejs-devel-1:22.23.1-2.el10_2.s390x.rpm nodejs22-debuginfo-1:22.23.1-2.el10_2.s390x.rpm nodejs-libs-1:22.23.1-2.el10_2.s390x.rpm nodejs-full-i18n-1:22.23.1-2.el10_2.s390x.rpm nodejs22-1:22.23.1-2.el10_2.src.rpm nodejs-npm-1:10.9.8-1.22.23.1.2.el10_2.s390x.rpm

Rocky Linux 10 x86_64 - AppStream

nodejs-libs-debuginfo-1:22.23.1-2.el10_2.x86_64.rpm nodejs-debuginfo-1:22.23.1-2.el10_2.x86_64.rpm nodejs-libs-1:22.23.1-2.el10_2.x86_64.rpm nodejs22-debugsource-1:22.23.1-2.el10_2.x86_64.rpm nodejs-npm-1:10.9.8-1.22.23.1.2.el10_2.x86_64.rpm nodejs22-debuginfo-1:22.23.1-2.el10_2.x86_64.rpm nodejs-full-i18n-1:22.23.1-2.el10_2.x86_64.rpm nodejs-1:22.23.1-2.el10_2.x86_64.rpm nodejs-docs-1:22.23.1-2.el10_2.noarch.rpm nodejs-devel-1:22.23.1-2.el10_2.x86_64.rpm nodejs22-1:22.23.1-2.el10_2.src.rpm

Rocky Linux 10 ppc64le - AppStream

nodejs-libs-1:22.23.1-2.el10_2.ppc64le.rpm nodejs-full-i18n-1:22.23.1-2.el10_2.ppc64le.rpm nodejs-devel-1:22.23.1-2.el10_2.ppc64le.rpm nodejs-npm-1:10.9.8-1.22.23.1.2.el10_2.ppc64le.rpm nodejs-debuginfo-1:22.23.1-2.el10_2.ppc64le.rpm nodejs-docs-1:22.23.1-2.el10_2.noarch.rpm nodejs-libs-debuginfo-1:22.23.1-2.el10_2.ppc64le.rpm nodejs-1:22.23.1-2.el10_2.ppc64le.rpm nodejs22-debuginfo-1:22.23.1-2.el10_2.ppc64le.rpm nodejs22-1:22.23.1-2.el10_2.src.rpm nodejs22-debugsource-1:22.23.1-2.el10_2.ppc64le.rpm

Rocky Linux 10 riscv64 - AppStream

nodejs-docs-1:22.23.1-2.el10_2.noarch.rpm nodejs22-1:22.23.1-2.el10_2.src.rpm