RockyLinux 8 : nodejs:24 (RLSA-2026:7670)

🗓️ 13 Apr 2026 00:00:00Reported by TenableType

RockyLinux 8 reports Node.js, minimatch, undici, and nghttp2 flaws per advisory RLSA-2026:7670.

Reporter	Title	Published	Views	Family All 1416
IBM Security Bulletins	Security Bulletin: A vulnerability in the minimatch package affects IBM® Db2® Big SQL on IBM Cloud Pak for Data.	15 May 202614:43	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - IoT Component uses multiple third party dependencies which is vulnerable to multiple CVEs.	1 Apr 202607:22	–	ibm
IBM Security Bulletins	Security Bulletin: DevOps Test Performance contains a potential denial of service (DoS) vulnerability	10 Apr 202613:04	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to node modules Hono and Undici	30 Mar 202612:20	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Edge Data Collector uses minimatch-3.1.2.tgz which is vulnerable to CVE-2026-26996, CVE-2026-27903, CVE-2026-27904	1 May 202611:55	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Engineering AI hub.	6 May 202608:24	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Bob	2 Jun 202614:29	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant On Prem	23 Mar 202615:13	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Monitor Component uses minimatch-3.1.2.tgz, minimatch-7.4.6.tgz, minimatch-9.0.5.tgz which is vulnerable to CVE-2026-26996, CVE-2026-27903, CVE-2026-27904.	1 May 202611:55	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Scheduler Optimizer uses minimatch-3.1.2.tgz which is vulnerable to CVE-2026-26996, CVE-2026-27903, CVE-2026-27904	7 May 202613:49	–	ibm

Source	Link
errata	www.errata.rockylinux.org/RLSA-2026:7670
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
bugzilla	www.bugzilla.redhat.com/show_bug.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Rocky Linux Security Advisory RLSA-2026:7670.
##

include('compat.inc');

if (description)
{
  script_id(306061);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/14");

  script_cve_id(
    "CVE-2026-1525",
    "CVE-2026-1526",
    "CVE-2026-1527",
    "CVE-2026-1528",
    "CVE-2026-2229",
    "CVE-2026-2581",
    "CVE-2026-21637",
    "CVE-2026-21710",
    "CVE-2026-21711",
    "CVE-2026-21712",
    "CVE-2026-21713",
    "CVE-2026-21714",
    "CVE-2026-21715",
    "CVE-2026-21716",
    "CVE-2026-21717",
    "CVE-2026-26996",
    "CVE-2026-27135"
  );
  script_xref(name:"RLSA", value:"2026:7670");

  script_name(english:"RockyLinux 8 : nodejs:24 (RLSA-2026:7670)");

  script_set_attribute(attribute:"synopsis", value:
"The remote RockyLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the
RLSA-2026:7670 advisory.

    * nodejs: Nodejs denial of service (CVE-2026-21637)

    * minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)

    * undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581)

    * undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527)

    * undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate
    decompression (CVE-2026-1526)

    * undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter
    (CVE-2026-2229)

    * undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers
    (CVE-2026-1525)

    * undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)

    * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination
    (CVE-2026-27135)

    * Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing
    (CVE-2026-21712)

    * Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)

    * Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read
    restrictions (CVE-2026-21715)

    * nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership
    via incomplete security fix. (CVE-2026-21716)

    * Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission
    checks (CVE-2026-21711)

    * Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713)

    * Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames
    (CVE-2026-21714)

    * nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash
    collisions (CVE-2026-21717)

Tenable has extracted the preceding description block directly from the RockyLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://errata.rockylinux.org/RLSA-2026:7670");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2431340");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2441268");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2447140");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2447141");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2447142");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2447143");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2447144");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2447145");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2448754");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2453037");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2453151");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2453152");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2453157");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2453158");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2453160");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2453161");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2453162");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-1525");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2026-26996");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-nodemon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-packaging");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-packaging-bundler");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:npm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:v8-13.6-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rocky:linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-docs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-full-i18n");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-libs-debuginfo");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Rocky Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RockyLinux/release", "Host/RockyLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'Rocky Linux' >!< os_product) audit(AUDIT_OS_NOT, 'Rocky Linux');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'Rocky Linux');
if (! preg(pattern:"^8([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'RockyLinux 8.x', 'Rocky Linux ' + os_version);

if (!get_kb_item('Host/RockyLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Rocky Linux', cpu);

var module_ver = get_kb_item('Host/RockyLinux/appstream/nodejs');
if (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module nodejs:24');
if ('24' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module nodejs:' + module_ver);

var constraints = {
  'nodejs:24': [
    {
      'release': '8',
      'pkgs': [
        {'reference':'nodejs-24.14.1-2.module+el8.10.0', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-24.14.1-2.module+el8.10.0', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-debuginfo-24.14.1-2.module+el8.10.0', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-debuginfo-24.14.1-2.module+el8.10.0', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-debugsource-24.14.1-2.module+el8.10.0', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-debugsource-24.14.1-2.module+el8.10.0', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-devel-24.14.1-2.module+el8.10.0', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-devel-24.14.1-2.module+el8.10.0', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-docs-24.14.1-2.module+el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-full-i18n-24.14.1-2.module+el8.10.0', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-full-i18n-24.14.1-2.module+el8.10.0', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-libs-24.14.1-2.module+el8.10.0', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-libs-24.14.1-2.module+el8.10.0', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-libs-debuginfo-24.14.1-2.module+el8.10.0', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-libs-debuginfo-24.14.1-2.module+el8.10.0', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'nodejs-nodemon-3.0.3-1.module+el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'nodejs-packaging-2021.06-6.module+el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'nodejs-packaging-bundler-2021.06-6.module+el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'npm-11.11.0-1.24.14.1.2.module+el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'v8-13.6-devel-13.6.233.17-1.24.14.1.2.module+el8.10.0', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'3'},
        {'reference':'v8-13.6-devel-13.6.233.17-1.24.14.1.2.module+el8.10.0', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'3'}
      ]
    }
  ]
};

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
var appstreams_found = 0;
var appstream;
var appstream_name;
var appstream_version;
foreach var module (keys(constraints)) {
  appstream = NULL;
  appstream_name = NULL;
  appstream_version = NULL;
  appstream_split = split(module, sep:':', keep:FALSE);
  if (!empty_or_null(appstream_split)) {
    appstream_name = appstream_split[0];
    appstream_version = appstream_split[1];
    if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RockyLinux/appstream/' + appstream_name);
  }
  if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {
    appstreams_found++;
    foreach var module_array ( constraints[module] ) {
      # Check that the target release is equal to the affected release
      if (!empty_or_null(module_array['release'])){
        if (module_array['release'] != os_release) continue;
      }
      if (!empty_or_null(module_array['sp'])){
        if (module_array['sp'] != os_sp) continue;
      }
      foreach var package_array ( module_array['pkgs'] ) {
        reference = NULL;
        sp = NULL;
        _cpu = NULL;
        el_string = NULL;
        rpm_spec_vers_cmp = NULL;
        epoch = NULL;
        allowmaj = NULL;
        exists_check = NULL;
        cves = NULL;
        if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
        if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
        if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
        if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
        if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
        if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
        if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
        if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
        if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
        if (reference &&
            (!exists_check || rpm_exists(rpm:exists_check)) &&
            rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
      }
    }
  }
}

if (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module nodejs:24');
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nodejs / nodejs-debuginfo / nodejs-debugsource / nodejs-devel / etc');
}

14 Apr 2026 00:00Current

6.7Medium risk

Vulners AI Score6.7

CVSS 3.17.5 - 9.8

CVSS 37.5

CVSS 48.7

EPSS0.13066

SSVC