[Git][security-tracker-team/security-tracker][master] CVE-2026-2171[5-6]
Bastien Roucariès (@rouca)
rouca at debian.org
Sun Apr 26 21:19:54 BST 2026
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7c29a1ba by Bastien Roucariès at 2026-04-26T22:19:14+02:00
CVE-2026-2171[5-6]
Not affected bookworm and bullseye
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -18175,11 +18175,17 @@ CVE-2026-21716 (An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()`
[bullseye] - nodejs <not-affected> (Feature was introduced in nodeJS 20)
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#cve-2024-36137-patch-bypass---filehandlechmodchown-cve-2026-21716---low
NOTE: Fixed by: https://github.com/nodejs/node/commit/012330956669e06864a674917de352d2d69ff51c (v20.20.2)
+ NOTE: Feature introduced in 20 see https://nodejs.org/en/blog/announcements/v20-release-announce
+ NOTE: Documentation of the flag: https://nodejs.org/api/cli.html#--experimental-permission (Added in v20.0.0)
CVE-2026-21715 (A flaw in Node.js Permission Model filesystem enforcement leaves `fs.r ...)
{DSA-6183-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
+ [bookworm] - nodejs <not-affected> (Feature was introduced in nodeJS 20)
+ [bullseye] - nodejs <not-affected> (Feature was introduced in nodeJS 20)
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#permission-model-bypass-in-realpathsyncnative-allows-file-existence-disclosure-cve-2026-21715---low
NOTE: Fixed by: https://github.com/nodejs/node/commit/00830712bc623ba04b08856462a56b79e29f5cc3 (v20.20.2)
+ NOTE: Feature introduced in 20 see https://nodejs.org/en/blog/announcements/v20-release-announce
+ NOTE: Documentation of the flag: https://nodejs.org/api/cli.html#--experimental-permission (Added in v20.0.0)
CVE-2026-21714 (A memory leak occurs in Node.js HTTP/2 servers when a client sends WIN ...)
{DSA-6183-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c29a1ba99fae18994f003b6d0d62d2877ce3710
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c29a1ba99fae18994f003b6d0d62d2877ce3710
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260426/f9413c2c/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list