[Git][security-tracker-team/security-tracker][master] Add initial tracking of new nodejs issues

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
77af5c4a by Salvatore Bonaccorso at 2026-03-25T06:49:12+01:00
Add initial tracking of new nodejs issues

All of those need to get a proper assessment for severity and tracking
of older versions yet.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,27 @@
+CVE-2026-71717
+	- nodejs <unfixed>
+	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#hashdos-in-v8-cve-2026-21717---medium
+CVE-2026-21716
+	- nodejs <unfixed>
+	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#cve-2024-36137-patch-bypass---filehandlechmodchown-cve-2026-21716---low
+CVE-2026-21715
+	- nodejs <unfixed>
+	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#permission-model-bypass-in-realpathsyncnative-allows-file-existence-disclosure-cve-2026-21715---low
+CVE-2026-21714
+	- nodejs <unfixed>
+	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#memory-leak-in-nodejs-http2-server-via-window_update-on-stream-0-leads-to-resource-exhaustion-cve-2026-21714---medium
+CVE-2026-21713
+	- nodejs <unfixed>
+	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#timing-side-channel-in-hmac-verification-via-memcmp-in-crypto_hmaccc-leads-to-potential-mac-forgery-cve-2026-21713---medium
+CVE-2026-21712
+	- nodejs <unfixed>
+	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#assertion-error-in-node_urlcc-via-malformed-url-format-leads-to-nodejs-crash-cve-2026-21712---medium
+CVE-2026-21711
+	- nodejs <not-affected> (Vulnerable code not present)
+	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#nodejs-permission-model-bypass-uds-server-bindlisten-works-without---allow-net-cve-2026-21711---medium
+CVE-2026-21710
+	- nodejs <unfixed>
+	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#denial-of-service-via-__proto__-header-name-in-reqheadersdistinct-uncaught-typeerror-crashes-nodejs-process-cve-2026-21710---high
 CVE-2026-31788
 	- linux <unfixed>
 	NOTE: https://xenbits.xen.org/xsa/advisory-482.html
@@ -29641,6 +29665,8 @@ CVE-2026-21637 (A flaw in Node.js TLS error handling allows remote attackers to
 	- nodejs 22.22.0+dfsg+~cs22.19.6-1
 	NOTE: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#tls-pskalpn-callback-exceptions-bypass-error-handlers-causing-dos-and-fd-leak-cve-2026-21637---medium
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/85f73e7057e9badf6e7713f7440769375cdb5df5 (v20.20.0)
+	NOTE: Fix was incomplete (but did not got a new CVE for the incomplete fix):
+	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#incomplete-fix-for-cve-2026-21637-loadsni-in-_tls_wrapjs-lacks-trycatch-leading-to-remote-dos-cve-2026-21637---high
 CVE-2026-21636 (A flaw in Node.js's permission model allows Unix Domain Socket (UDS) c ...)
 	- nodejs <not-affected> (Only affects Node.js v25)
 	NOTE: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#nodejs-permission-model-bypass-via-unchecked-unix-domain-socket-connections-uds-cve-2026-21636---medium



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77af5c4aab9dfd3e4427ee7453a0f571a8dba09b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77af5c4aab9dfd3e4427ee7453a0f571a8dba09b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260325/7d873fc3/attachment.htm>