Linux Distros Unpatched Vulnerability : CVE-2026-27601

🗓️ 05 Mar 2026 00:00:00Reported by TenableType

Linux host unpatched CVE-2026-27601 in Underscore.js before 1.13.8 enables DoS via stack overflow.

Reporter	Title	Published	Views	Family All 70
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to multiple node modules.	21 Apr 202618:47	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2026-27601)	22 Apr 202614:31	–	ibm
IBM Security Bulletins	Security Bulletin: Due to the use of Underscore.js, IBM DevOps Solution Workbench is affected by a Denial of Service (CVE-2026-27601)	16 Mar 202608:36	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in underscore-1.13.7.tgz	6 May 202603:55	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities in IBM Business Automation Manager Open Editions	31 Mar 202612:18	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Bob	26 May 202614:04	–	ibm
IBM Security Bulletins	Security Bulletin: Security Vulnerabilities affect IBM Voice Gateway	31 Mar 202615:54	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability affect underscore-umd-min, werkzeug-3.1.5, flask-3.1.1, cryptography, aircompressor, pyasn1, http, log4j, apache2-build, commons-configuration, bcpkix-jdk18on, server-MariaDB, Jline, IBM COS Systems (April 2026)	26 May 202613:44	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant On Prem	16 Mar 202613:27	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition	19 May 202605:43	–	ibm

Source	Link
access	www.access.redhat.com/security/cve/cve-2026-27601
security-tracker	www.security-tracker.debian.org/tracker/CVE-2026-27601
ubuntu	www.ubuntu.com/security/CVE-2026-27601
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(300943);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/16");

  script_cve_id("CVE-2026-27601");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-27601");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual
    functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker
    could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input
    must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth
    limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten,
    the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure
    that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to
    _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path
    in which two distinct datastructures that were submitted by the same remote client are compared using
    _.isEqual. For example, if a client submits data that are stored in a database, and the same client can
    later submit another datastructure that is then compared to the data that were saved in the database
    previously, OR if a client submits a single request, but its data are parsed twice, creating two non-
    identical but equivalent datastructures that are then compared. Exceptions originating from the call to
    _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed
    in 1.13.8. (CVE-2026-27601)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2026-27601");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-27601");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2026-27601");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:U/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-27601");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/03/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:13.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ruby-rails-assets-underscore");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:aspnetcore-runtime-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:aspnetcore-targeting-pack-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:dotnet-apphost-pack-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:dotnet-host");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:dotnet-hostfxr-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:dotnet-runtime-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:dotnet-sdk-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:dotnet-sdk-7.0-source-built-artifacts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:dotnet-targeting-pack-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:dotnet-templates-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:dotnet7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:firefox");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:firefox-x11");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:gjs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:gjs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-azure-monitor");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-cloudwatch");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-elasticsearch");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-graphite");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-influxdb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-loki");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-mssql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-mysql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-opentsdb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-postgres");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-prometheus");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-selinux");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-stackdriver");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mozjs60");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mozjs60-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:netstandard-targeting-pack-2.1");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:python-sphinx-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:python3-sphinx");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:python3-sphinx-latex");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:thunderbird");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:underscore");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:aspnetcore-runtime-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:aspnetcore-targeting-pack-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dotnet-apphost-pack-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dotnet-host");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dotnet-hostfxr-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dotnet-runtime-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dotnet-sdk-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dotnet-sdk-7.0-source-built-artifacts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dotnet-targeting-pack-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dotnet-templates-7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:dotnet7.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:firefox");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:firefox-x11");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gjs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gjs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-azure-monitor");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-cloudwatch");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-elasticsearch");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-graphite");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-influxdb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-loki");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-mssql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-mysql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-opentsdb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-postgres");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-prometheus");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-selinux");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-stackdriver");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mozjs60");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mozjs60-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:netstandard-targeting-pack-2.1");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-sphinx-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python3-sphinx");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python3-sphinx-latex");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:thunderbird");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/CentOS Linux-7", "Host/OS/CentOS Linux-8", "Host/OS/Debian Linux-11", "Host/OS/Debian Linux-12", "Host/OS/Debian Linux-13", "Host/OS/Red Hat Enterprise Linux-10", "Host/OS/Red Hat Enterprise Linux-7", "Host/OS/Red Hat Enterprise Linux-8", "Host/OS/Red Hat Enterprise Linux-9", "Host/OS/Ubuntu Linux-18.04", "Host/OS/Ubuntu Linux-20.04", "Host/OS/Ubuntu Linux-22.04", "Host/OS/Ubuntu Linux-24.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/CentOS/rpm-list")) && empty_or_null(get_one_kb_item("Host/Debian/dpkg-l")) && empty_or_null(get_one_kb_item("Host/RedHat/rpm-list"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-11": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "11",
        "pkgs": [
          {"reference": "libjs-underscore"},
          {"reference": "node-underscore"}
        ]
      }
    ]
  },
  "Debian Linux-12": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "12",
        "pkgs": [
          {"reference": "libjs-underscore"},
          {"reference": "node-underscore"}
        ]
      }
    ]
  },
  "Debian Linux-13": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "13",
        "pkgs": [
          {"reference": "libjs-underscore"},
          {"reference": "node-underscore"}
        ]
      }
    ]
  },
  "Ubuntu Linux-18.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "18.04",
        "pkgs": [
          {"reference": "ruby-rails-assets-underscore"}
        ]
      }
    ]
  },
  "Ubuntu Linux-20.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "20.04",
        "pkgs": [
          {"reference": "ruby-rails-assets-underscore"}
        ]
      }
    ]
  },
  "Ubuntu Linux-22.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "22.04",
        "pkgs": [
          {"reference": "ruby-rails-assets-underscore"}
        ]
      }
    ]
  },
  "Ubuntu Linux-24.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "24.04",
        "pkgs": [
          {"reference": "ruby-rails-assets-underscore"}
        ]
      }
    ]
  },
  "Red Hat Enterprise Linux-10": {
    "package_manager": "rpm-list",
    "constraints": [
      {
        "release": "10",
        "pkgs": [
          {"reference": "firefox"},
          {"reference": "gjs"},
          {"reference": "gjs-devel"},
          {"reference": "thunderbird"}
        ]
      }
    ]
  },
  "CentOS Linux-7": {
    "package_manager": "rpm-list",
    "constraints": [
      {
        "release": "7",
        "pkgs": [
          {"reference": "firefox"}
        ]
      }
    ]
  },
  "Red Hat Enterprise Linux-7": {
    "package_manager": "rpm-list",
    "constraints": [
      {
        "release": "7",
        "pkgs": [
          {"reference": "firefox"}
        ]
      }
    ]
  },
  "CentOS Linux-8": {
    "package_manager": "rpm-list",
    "constraints": [
      {
        "release": "8",
        "pkgs": [
          {"reference": "firefox"},
          {"reference": "grafana"},
          {"reference": "grafana-azure-monitor"},
          {"reference": "grafana-cloudwatch"},
          {"reference": "grafana-elasticsearch"},
          {"reference": "grafana-graphite"},
          {"reference": "grafana-influxdb"},
          {"reference": "grafana-loki"},
          {"reference": "grafana-mssql"},
          {"reference": "grafana-mysql"},
          {"reference": "grafana-opentsdb"},
          {"reference": "grafana-postgres"},
          {"reference": "grafana-prometheus"},
          {"reference": "grafana-selinux"},
          {"reference": "grafana-stackdriver"},
          {"reference": "mozjs60"},
          {"reference": "mozjs60-devel"},
          {"reference": "thunderbird"}
        ]
      }
    ]
  },
  "Red Hat Enterprise Linux-8": {
    "package_manager": "rpm-list",
    "constraints": [
      {
        "release": "8",
        "pkgs": [
          {"reference": "firefox"},
          {"reference": "grafana"},
          {"reference": "grafana-azure-monitor"},
          {"reference": "grafana-cloudwatch"},
          {"reference": "grafana-elasticsearch"},
          {"reference": "grafana-graphite"},
          {"reference": "grafana-influxdb"},
          {"reference": "grafana-loki"},
          {"reference": "grafana-mssql"},
          {"reference": "grafana-mysql"},
          {"reference": "grafana-opentsdb"},
          {"reference": "grafana-postgres"},
          {"reference": "grafana-prometheus"},
          {"reference": "grafana-selinux"},
          {"reference": "grafana-stackdriver"},
          {"reference": "mozjs60"},
          {"reference": "mozjs60-devel"},
          {"reference": "thunderbird"}
        ]
      }
    ]
  },
  "Red Hat Enterprise Linux-9": {
    "package_manager": "rpm-list",
    "constraints": [
      {
        "release": "9",
        "pkgs": [
          {"reference": "aspnetcore-runtime-7.0"},
          {"reference": "aspnetcore-targeting-pack-7.0"},
          {"reference": "dotnet-apphost-pack-7.0"},
          {"reference": "dotnet-host"},
          {"reference": "dotnet-hostfxr-7.0"},
          {"reference": "dotnet-runtime-7.0"},
          {"reference": "dotnet-sdk-7.0"},
          {"reference": "dotnet-sdk-7.0-source-built-artifacts"},
          {"reference": "dotnet-targeting-pack-7.0"},
          {"reference": "dotnet-templates-7.0"},
          {"reference": "dotnet7.0"},
          {"reference": "firefox"},
          {"reference": "firefox-x11"},
          {"reference": "gjs"},
          {"reference": "gjs-devel"},
          {"reference": "grafana"},
          {"reference": "grafana-selinux"},
          {"reference": "netstandard-targeting-pack-2.1"},
          {"reference": "python-sphinx-doc"},
          {"reference": "python3-sphinx"},
          {"reference": "python3-sphinx-latex"},
          {"reference": "thunderbird"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

16 Mar 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.15.9

CVSS 48.2

EPSS0.00022

SSVC