RLSA-2026:7080

Synopsis

Important: nodejs22 security update

Description

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed devices.

Security Fix(es):

* brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)

* minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)

* minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)

* undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)

* undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)

* undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)

* undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)

* nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)

* Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected products

Rocky Linux 10 aarch64 Rocky Linux 10 ppc64le Rocky Linux 10 s390x Rocky Linux 10 x86_64

Fixes

2447142 2442922 2447144 2441268 2448754 2447143 2436942 2453151 2447145

CVEs

CVE-2026-1525 CVE-2026-1526 CVE-2026-1528 CVE-2026-21710 CVE-2026-2229 CVE-2026-25547 CVE-2026-26996 CVE-2026-27135 CVE-2026-27904

Affected packages

Rocky Linux 10 aarch64 - AppStream

nodejs-libs-debuginfo-1:22.22.2-1.el10_1.aarch64.rpm nodejs-libs-1:22.22.2-1.el10_1.aarch64.rpm nodejs22-1:22.22.2-1.el10_1.src.rpm nodejs-docs-1:22.22.2-1.el10_1.noarch.rpm nodejs22-debuginfo-1:22.22.2-1.el10_1.aarch64.rpm nodejs-devel-1:22.22.2-1.el10_1.aarch64.rpm nodejs22-debugsource-1:22.22.2-1.el10_1.aarch64.rpm nodejs-debuginfo-1:22.22.2-1.el10_1.aarch64.rpm nodejs-1:22.22.2-1.el10_1.aarch64.rpm nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.aarch64.rpm nodejs-full-i18n-1:22.22.2-1.el10_1.aarch64.rpm

Rocky Linux 10 s390x - AppStream

nodejs-full-i18n-1:22.22.2-1.el10_1.s390x.rpm nodejs22-1:22.22.2-1.el10_1.src.rpm nodejs22-debugsource-1:22.22.2-1.el10_1.s390x.rpm nodejs-1:22.22.2-1.el10_1.s390x.rpm nodejs-debuginfo-1:22.22.2-1.el10_1.s390x.rpm nodejs-docs-1:22.22.2-1.el10_1.noarch.rpm nodejs-libs-debuginfo-1:22.22.2-1.el10_1.s390x.rpm nodejs-libs-1:22.22.2-1.el10_1.s390x.rpm nodejs22-debuginfo-1:22.22.2-1.el10_1.s390x.rpm nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.s390x.rpm nodejs-devel-1:22.22.2-1.el10_1.s390x.rpm

Rocky Linux 10 x86_64 - AppStream

nodejs-full-i18n-1:22.22.2-1.el10_1.x86_64.rpm nodejs-1:22.22.2-1.el10_1.x86_64.rpm nodejs-debuginfo-1:22.22.2-1.el10_1.x86_64.rpm nodejs22-1:22.22.2-1.el10_1.src.rpm nodejs-devel-1:22.22.2-1.el10_1.x86_64.rpm nodejs-docs-1:22.22.2-1.el10_1.noarch.rpm nodejs22-debuginfo-1:22.22.2-1.el10_1.x86_64.rpm nodejs22-debugsource-1:22.22.2-1.el10_1.x86_64.rpm nodejs-libs-debuginfo-1:22.22.2-1.el10_1.x86_64.rpm nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.x86_64.rpm nodejs-libs-1:22.22.2-1.el10_1.x86_64.rpm

Rocky Linux 10 ppc64le - AppStream

nodejs-1:22.22.2-1.el10_1.ppc64le.rpm nodejs22-1:22.22.2-1.el10_1.src.rpm nodejs22-debugsource-1:22.22.2-1.el10_1.ppc64le.rpm nodejs-libs-1:22.22.2-1.el10_1.ppc64le.rpm nodejs-devel-1:22.22.2-1.el10_1.ppc64le.rpm nodejs-docs-1:22.22.2-1.el10_1.noarch.rpm nodejs-full-i18n-1:22.22.2-1.el10_1.ppc64le.rpm nodejs22-debuginfo-1:22.22.2-1.el10_1.ppc64le.rpm nodejs-libs-debuginfo-1:22.22.2-1.el10_1.ppc64le.rpm nodejs-npm-1:10.9.7-1.22.22.2.1.el10_1.ppc64le.rpm nodejs-debuginfo-1:22.22.2-1.el10_1.ppc64le.rpm