Updated nodejs packages fix security vulnerabilities
Publication date: 28 Mar 2026Modification date: 28 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-21637 , CVE-2026-21710 , CVE-2026-21713 , CVE-2026-21714 , CVE-2026-21715 , CVE-2026-21716 , CVE-2026-21717
Description
Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks
try/catch leading to Remote DoS. (CVE-2026-21637)
Denial of Service via __proto__ header name in req.headersDistinct
(Uncaught TypeError crashes Node.js process). (CVE-2026-21710)
Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc
leads to potential MAC forgery. (CVE-2026-21713)
Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads
to resource exhaustion. (CVE-2026-21714)
Permission Model Bypass in realpathSync.native Allows File Existence
Disclosure. (CVE-2026-21715)
CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown. (CVE-2026-21716)
HashDoS in V8. (CVE-2026-21717)
References
- https://bugs.mageia.org/show_bug.cgi?id=35270
- https://nodejs.org/en/blog/vulnerability/march-2026-security-releases
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21637
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21713
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21714
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21715
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21716
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21717
SRPMS
9/core
- nodejs-22.22.2-1.mga9