AlmaLinux alert ALSA-2026:7675 (nodejs24)
| From: | AlmaLinux Errata Notifications via Announce <announce@lists.almalinux.org> | |
| To: | announce@lists.almalinux.org | |
| Subject: | [Announce] [Security Advisory] ALSA-2026:7675: nodejs24 security update (Important) | |
| Date: | Wed, 15 Apr 2026 10:07:46 +0000 | |
| Message-ID: | <0100019d909c7642-1db977db-13b3-446b-9a9b-cbd3924fc926-000000@email.amazonses.com> | |
| Archive-link: | Article |
Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 10 Type: Security Severity: Important Release date: 2026-04-14 Summary: Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. Security Fix(es): * nodejs: Nodejs denial of service (CVE-2026-21637) * brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547) * minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996) * undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581) * undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527) * undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526) * undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229) * undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525) * undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528) * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135) * Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712) * Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710) * Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions (CVE-2026-21715) * nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716) * Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711) * Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713) * Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714) * nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-7675.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team _______________________________________________ Announce mailing list -- announce@lists.almalinux.org To unsubscribe send an email to announce-leave@lists.almalinux.org