[Apollo] Advisories Statistics light light Login

RLSA-2026:7675

Security Mirrored from RHSA-2026:7675
Issued at: 2026-04-15
Updated at: 2026-04-15

Synopsis

Important: nodejs24 security update



Description

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

Security Fix(es):

* nodejs: Nodejs denial of service (CVE-2026-21637)

* brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)

* minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)

* undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581)

* undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527)

* undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)

* undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)

* undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)

* undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)

* nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)

* Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712)

* Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)

* Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions (CVE-2026-21715)

* nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716)

* Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711)

* Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713)

* Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714)

* nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Affected products

Rocky Linux 10 aarch64 Rocky Linux 10 ppc64le Rocky Linux 10 s390x Rocky Linux 10 x86_64

Fixes

2453162 2447142 2453160 2447144 2447140 2453161 2436942 2453151 2453037 2447141 2453158 2453157 2453152 2441268 2448754 2447143 2431340 2447145

CVEs

CVE-2026-1525 CVE-2026-1526 CVE-2026-1527 CVE-2026-1528 CVE-2026-21637 CVE-2026-21710 CVE-2026-21711 CVE-2026-21712 CVE-2026-21713 CVE-2026-21714 CVE-2026-21715 CVE-2026-21716 CVE-2026-21717 CVE-2026-2229 CVE-2026-25547 CVE-2026-2581 CVE-2026-26996 CVE-2026-27135

Affected packages

Rocky Linux 10 ppc64le - AppStream

nodejs24-debuginfo-1:24.14.1-2.el10_1.ppc64le.rpm nodejs24-devel-1:24.14.1-2.el10_1.ppc64le.rpm nodejs24-docs-1:24.14.1-2.el10_1.noarch.rpm nodejs24-libs-1:24.14.1-2.el10_1.ppc64le.rpm nodejs24-1:24.14.1-2.el10_1.ppc64le.rpm nodejs24-1:24.14.1-2.el10_1.src.rpm nodejs24-debugsource-1:24.14.1-2.el10_1.ppc64le.rpm nodejs24-libs-debuginfo-1:24.14.1-2.el10_1.ppc64le.rpm nodejs24-npm-1:11.11.0-1.24.14.1.2.el10_1.noarch.rpm nodejs24-full-i18n-1:24.14.1-2.el10_1.ppc64le.rpm

Rocky Linux 10 x86_64 - AppStream

nodejs24-libs-debuginfo-1:24.14.1-2.el10_1.x86_64.rpm nodejs24-debuginfo-1:24.14.1-2.el10_1.x86_64.rpm nodejs24-docs-1:24.14.1-2.el10_1.noarch.rpm nodejs24-1:24.14.1-2.el10_1.x86_64.rpm nodejs24-debugsource-1:24.14.1-2.el10_1.x86_64.rpm nodejs24-full-i18n-1:24.14.1-2.el10_1.x86_64.rpm nodejs24-libs-1:24.14.1-2.el10_1.x86_64.rpm nodejs24-1:24.14.1-2.el10_1.src.rpm nodejs24-npm-1:11.11.0-1.24.14.1.2.el10_1.noarch.rpm nodejs24-devel-1:24.14.1-2.el10_1.x86_64.rpm

Rocky Linux 10 aarch64 - AppStream

nodejs24-devel-1:24.14.1-2.el10_1.aarch64.rpm nodejs24-libs-debuginfo-1:24.14.1-2.el10_1.aarch64.rpm nodejs24-docs-1:24.14.1-2.el10_1.noarch.rpm nodejs24-1:24.14.1-2.el10_1.aarch64.rpm nodejs24-full-i18n-1:24.14.1-2.el10_1.aarch64.rpm nodejs24-libs-1:24.14.1-2.el10_1.aarch64.rpm nodejs24-1:24.14.1-2.el10_1.src.rpm nodejs24-debuginfo-1:24.14.1-2.el10_1.aarch64.rpm nodejs24-npm-1:11.11.0-1.24.14.1.2.el10_1.noarch.rpm nodejs24-debugsource-1:24.14.1-2.el10_1.aarch64.rpm

Rocky Linux 10 s390x - AppStream

nodejs24-devel-1:24.14.1-2.el10_1.s390x.rpm nodejs24-docs-1:24.14.1-2.el10_1.noarch.rpm nodejs24-debugsource-1:24.14.1-2.el10_1.s390x.rpm nodejs24-libs-1:24.14.1-2.el10_1.s390x.rpm nodejs24-1:24.14.1-2.el10_1.src.rpm nodejs24-1:24.14.1-2.el10_1.s390x.rpm nodejs24-full-i18n-1:24.14.1-2.el10_1.s390x.rpm nodejs24-debuginfo-1:24.14.1-2.el10_1.s390x.rpm nodejs24-npm-1:11.11.0-1.24.14.1.2.el10_1.noarch.rpm nodejs24-libs-debuginfo-1:24.14.1-2.el10_1.s390x.rpm