ROOT-OS-UBUNTU-2404-CVE-2025-22036 CVE-2025-22036 in rootio-linux - Patched by Root

Root has patched CVE-2025-22036 in the rootio-linux package for Root:Ubuntu:24.04. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-22036 CVE-2026-22036 in @rootio/undici - Patched by Root

Root has patched CVE-2026-22036 in the @rootio/undici package for Root:npm. Multiple fixed versions available...

SUSE: Security Advisory (SUSE-SU-2026:0457-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE: Security Advisory (SUSE-SU-2026:0435-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE SLES15 / openSUSE 15 Security Update : nodejs20 (SUSE-SU-2026:0435-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0435-1 advisory. - Update to 20.20.0: - CVE-2026-22036: Updated undici to 6.23.0 bsc1256848 - CVE-2025-59465: Add TLSSocket default...

Fedora: Security Advisory (FEDORA-2026-cc863e84da)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE SLES15 Security Update : nodejs22 (SUSE-SU-2026:0301-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0301-1 advisory. Security fixes: - CVE-2026-22036: Fixed unbounded decompression chain in HTTP response leading to resource exhaustion bsc1256848 -...

SUSE-SU-2026:0301-1 Security update for nodejs22

This update for nodejs22 fixes the following issues: Security fixes: - CVE-2026-22036: Fixed unbounded decompression chain in HTTP response leading to resource exhaustion bsc1256848 - CVE-2026-21637: Fixed synchronous exceptions thrown during callbacks that bypass TLS error handling and causing...

SUSE SLES15 / openSUSE 15 Security Update : nodejs22 (SUSE-SU-2026:0295-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0295-1 advisory. Security fixes: - CVE-2026-22036: Fixed unbounded decompression chain in HTTP response leading to resource exhaustion...

Security update for nodejs22

This update for nodejs22 fixes the following issues: Security fixes: CVE-2026-22036: Fixed unbounded decompression chain in HTTP response leading to resource exhaustion bsc1256848 CVE-2026-21637: Fixed synchronous exceptions thrown during callbacks that bypass TLS error handling and causing denia...

CVE-2026-22036 vulnerabilities

Vulnerabilities for packages: renovate, kibana, langfuse-fips, langfuse, librechat, code-server, jitsucom-jitsu...

MiracleLinux 8 : java-11-openjdk-11.0.20.0.8-2.el8 (AXSA:2023-6262:16)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-6262:16 advisory. OpenJDK: ZIP file parsing infinite loop 8302483 CVE-2023-22036 OpenJDK: weakness in AES implementation 8308682 CVE-2023-22041 OpenJDK: improper...

MiracleLinux 9 : java-17-openjdk-17.0.8.0.7-2.el9.ML.1 (AXSA:2023-6268:14)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-6268:14 advisory. OpenJDK: ZIP file parsing infinite loop 8302483 CVE-2023-22036 OpenJDK: weakness in AES implementation 8308682 CVE-2023-22041 OpenJDK: improper...

0utmailauth (=1.0.0), 0xsodium (>=0.2.0 <=0.14.0) +13798 more potentially affected by CVE-2026-22036 via undici (>=0.3.3 <=6.22.0)

undici NPM version =0.3.3, =0.2.0, =1.0.0, =0.2.0, =0.4.0, =0.1.0, =0.0.1, =1.0.21, =1.0.1, =2.1.0, =2.1.1 and more Source cves: CVE-2026-22036 Source advisory: OSV:GHSA-G9MF-H72J-4RW9...

@01.software/sdk (>=0.0.1-251008.90016 <=0.1.0-dev.260109.7cf07c9), @adenta/cms (>=0.0.6 <=1.1.1-0) +236 more potentially affected by CVE-2026-22036 via undici (>=7.0.0 <=7.18.0)

undici NPM version =7.0.0, =0.0.1-251008.90016, =0.0.6, =0.0.2, =0.0.33, =0.0.1, =1.0.0, =21.0.0, =21.0.0, =0.5.0, =1.0.1-dev.120, =12.6.9, =0.1.6, =0.13.70, =0.13.99 and more Source cves: CVE-2026-22036 Source advisory: OSV:GHSA-G9MF-H72J-4RW9...

CVE-2026-22036

creationtimestamp| type| source ---|---|--- 2026-01-14 20:28:30+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mcfvtsd2pl2c 2026-01-15 08:20:31+00:00| seen| https://gist.github.com/Darkcrai86/88fd735daaf5212a2932ca1c1bdd8c2f 2026-01-24 21:24:57+00:00| seen|...

@01.software/sdk (>=0.0.1-251008.90016 <=0.1.0-dev.260109.7cf07c9), @adenta/cms (>=0.0.6 <=1.1.1-0) +237 more potentially affected by CVE-2026-22036 via undici (>=7.0.0-alpha.3 <=7.18.0)

undici NPM version =7.0.0-alpha.3, =0.0.1-251008.90016, =0.0.6, =0.0.2, =0.0.33, =0.0.1, =1.0.0, =21.0.0, =21.0.0, =0.5.0, =1.0.1-dev.120, =12.6.9, =0.1.6, =0.13.70, =0.13.99 and more Source cves: CVE-2026-22036 Source advisory: SNYK:JS-UNDICI-14943963...

org.webjars.npm:actions__core (>=1.10.0 <=1.11.1), org.webjars.npm:actions__http-client (>=2.2.1 <=2.2.3) +14 more potentially affected by CVE-2026-22036 via org.webjars.npm:undici (>=4.12.2 <=5.29.0)

org.webjars.npm:undici MAVEN version =4.12.2, =1.10.0, =2.2.1, =0.1.16, =0.1.28 - org.webjars.npm:elasticelasticsearch =8.6.0 - org.webjars.npm:elastictransport =8.3.1 - org.webjars.npm:firebase =10.13.0 - org.webjars.npm:firebaseauth =1.7.7 - org.webjars.npm:firebaseauth-compat =0.5.12 -...

DEBIAN-CVE-2026-22036

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...

Linux Distros Unpatched Vulnerability : CVE-2026-22036

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize...