Security News

Cybersecurity news aggregator

🔄
HIGH Updates Red Hat Errata

RHSA-2026:9711: Important: nodejs:20 security update

cve-2026-26nodejsred-hatcve-2026-26996cve-2026-27904
This Important Red Hat advisory addresses multiple Denial of Service vulnerabilities in Node.js 20 for RHEL 9.4 EUS, including high-severity flaws (CVSS 7.5) in the `minimatch` library via crafted glob patterns causing catastrophic backtracking (CVE-2026-26996, CVE-2026-27904), in `nghttp2` via malformed HTTP/2 frames (CVE-2026-27135), and in Node.js itself via a crafted HTTP `__proto__` header (CVE-2026-21710). The `minimatch` vulnerabilities affect versions 3.0.0-3.1.2, 4.0.0-4.2.3, 5.0.0-5.1.6, 6.0.0-6.2.0, and 7.0.0-7.4.6, requiring updates to versions 3.1.3, 4.2.4, 5.1.7, 6.2.1, or 7.4.7 respectively, while the `nghttp2` flaw affects versions prior to 1.68.1. Administrators should apply the provided Red Hat update to the `nodejs:20` module to remediate.
Read Full Article →

Red Hat Product Errata RHSA-2026:9711 - Security Advisory Issued: 2026-04-22 Updated: 2026-04-22 RHSA-2026:9711 - Security Advisory Overview Updated Packages Synopsis Important: nodejs:20 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996) minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904) nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135) Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64 Red Hat Enterprise Linux Server - AUS 9.4 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.4 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.4 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.4 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.4 s390x Fixes BZ - 2441268 - CVE-2026-26996 minimatch: minimatch: Denial of Service via specially crafted glob patterns BZ - 2442922 - CVE-2026-27904 minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions BZ - 2448754 - CVE-2026-27135 nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination BZ - 2453151 - CVE-2026-21710 Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header CVEs CVE-2026-21710 CVE-2026-26996 CVE-2026-27135 CVE-2026-27904 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 SRPM nodejs-20.20.2-2.module+el9.4.0+24216+64c58546.src.rpm SHA-256: 85d742a0e461d87c0f0e2f593ca76d724233c60e6cbc319de88be5e364cb2dbf nodejs-nodemon-3.0.1-1.module+el9.3.0.z+20478+84a9f781.src.rpm SHA-256: d9e8ccc9f428c517fc57a2ed08ff28f8eeb2c586d48a4e7ee4718e614e0f2926 nodejs-packaging-2021.06-4.module+el9.3.0+19518+63aad52d.src.rpm SHA-256: 007ac10e5de3355d68042ca5ff550df1ecf4d75a5f2c3a45d4ca39220b506404 x86_64 nodejs-20.20.2-2.module+el9.4.0+24216+64c58546.x86_64.rpm SHA-256: 6df2bdc72a3859811e023fe0718d3762da48352e4aa216a30da01c04e980a178 nodejs-debuginfo-20.20.2-2.module+el9.4.0+24216+64c58546.x86_64.rpm SHA-256: 3532a45499a360130fbc5c20afc95923baac63d483db7862130053e805d90fd2 nodejs-debugsource-20.20.2-2.module+el9.4.0+24216+64c58546.x86_64.rpm SHA-256: 02b318d743e2f2829a984f5424be0cab52b8a3271ce5323b58449af963c2a3d4 nodejs-devel-20.20.2-2.module+el9.4.0+24216+64c58546.x86_64.rpm SHA-256: a7436c392d35f747b4002279b25feaece282fc5bb442260edd34e74102a92938 nodejs-docs-20.20.2-2.module+el9.4.0+24216+64c58546.noarch.rpm SHA-256: c5d0c7473a6991cd958335c81eccbd81d616a6ef473e368380026755c86e47ba nodejs-full-i18n-20.20.2-2.module+el9.4.0+24216+64c58546.x86_64.rpm SHA-256: 020b598f440669dda93e9cba75cfc5aae1314f65e2f19d411e07732c3c6e84e8 nodejs-nodemon-3.0.1-1.module+el9.3.0.z+20478+84a9f781.noarch.rpm SHA-256: 1573bad6fd51e8400a98578b89d612782d0d80a11a1fbc98a4226270bdfa5202 nodejs-packaging-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm SHA-256: 810088ee03562362c2cb87651afebc2ac7828747678195922304fe1c4000dd97 nodejs-packaging-bundler-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm SHA-256: d7eddc044e39ba3b3835363c93713679f0e16682852970fb8f64135e24c414e1 npm-10.8.2-1.20.20.2.2.module+el9.4.0+24216+64c58546.x86_64.rpm SHA-256: 92a24ce6d4f31b925f3720d3dc099ed5b632ff757f22729152c94e09b5ce995d nodejs-docs-20.20.2-2.module+el9.4.0+24216+64c58546.noarch.rpm SHA-256: c5d0c7473a6991cd958335c81eccbd81d616a6ef473e368380026755c86e47ba nodejs-nodemon-3.0.1-1.module+el9.3.0.z+20478+84a9f781.noarch.rpm SHA-256: 1573bad6fd51e8400a98578b89d612782d0d80a11a1fbc98a4226270bdfa5202 nodejs-packaging-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm SHA-256: 810088ee03562362c2cb87651afebc2ac7828747678195922304fe1c4000dd97 nodejs-packaging-bundler-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm SHA-256: d7eddc044e39ba3b3835363c93713679f0e16682852970fb8f64135e24c414e1 nodejs-docs-20.20.2-2.module+el9.4.0+24216+64c58546.noarch.rpm SHA-256: c5d0c7473a6991cd958335c81eccbd81d616a6ef473e368380026755c86e47ba nodejs-nodemon-3.0.1-1.module+el9.3.0.z+20478+84a9f781.noarch.rpm SHA-256: 1573bad6fd51e8400a98578b89d612782d0d80a11a1fbc98a4226270bdfa5202 nodejs-packaging-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm SHA-256: 810088ee03562362c2cb87651afebc2ac7828747678195922304fe1c4000dd97 nodejs-packaging-bundler-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm SHA-256: d7eddc044e39ba3b3835363c93713679f0e16682852970fb8f64135e24c414e1 nodejs-docs-20.20.2-2.module+el9.4.0+24216+64c58546.noarch.rpm SHA-256: c5d0c7473a6991cd958335c81eccbd81d616a6ef473e368380026755c86e47ba nodejs-nodemon-3.0.1-1.module+el9.3.0.z+20478+84a9f781.noarch.rpm SHA-256: 1573bad6fd51e8400a98578b89d612782d0d80a11a1fbc98a4226270bdfa5202 nodejs-packaging-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm SHA-256: 810088ee03562362c2cb87651afebc2ac7828747678195922304fe1c4000dd97 nodejs-packaging-bundler-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm SHA-256: d7eddc044e39ba3b3835363c93713679f0e16682852970fb8f64135e24c414e1 Red Hat Enterprise Linux Server - AUS 9.4 SRPM nodejs-20.20.2-2.module+el9.4.0+24216+64c58546.src.rpm SHA-256: 85d742a0e461d87c0f0e2f593ca76d724233c60e6cbc319de88be5e364cb2dbf nodejs-nodemon-3.0.1-1.module+el9.3.0.z+20478+84a9f781.src.rpm SHA-256: d9e8ccc9f428c517fc57a2ed08ff28f8eeb2c586d48a4e7ee4718e614e0f2926 nodejs-packaging-2021.06-4.module+el9.3.0+19518+63aad52d.src.rpm SHA-256: 007ac10e5de3355d68042ca5ff550df1ecf4d75a5f2c3a45d4ca39220b506404 x86_64 nodejs-20.20.2-2.module+el9.4.0+24216+64c58546.x86_64.rpm SHA-256: 6df2bdc72a3859811e023fe0718d3762da48352e4aa216a30da01c04e980a178 nodejs-debuginfo-20.20.2-2.module+el9.4.0+24216+64c58546.x86_64.rpm SHA-256: 3532a45499a360130fbc5c20afc95923baac63d483db7862130053e805d90fd2 nodejs-debugsource-20.20.2-2.module+el9.4.0+24216+64c58546.x86_64.rpm SHA-256: 02b318d743e2f2829a984f5424be0cab52b8a3271ce5323b58449af963c2a3d4 nodejs-devel-20.20.2-2.module+el9.4.0+24216+64c58546.x86_64.rpm SHA-256: a7436c392d35f747b4002279b25feaece282fc5bb442260edd34e74102a92938 nodejs-docs-20.20.2-2.module+el9.4.0+24216+64c58546.noarch.rpm SHA-256: c5d0c7473a6991cd958335c81eccbd81d616a6ef473e368380026755c86e47ba nodejs-full-i18n-20.20.2-2.module+el9.4.0+24216+64c58546.x86_64.rpm SHA-256: 020b598f440669dda93e9cba75cfc5aae1314f65e2f19d411e07732c3c6e84e8 nodejs-nodemon-3.0.1-1.module+el9.3.0.z+20478+84a9f781.noarch.rpm SHA-256: 1573bad6fd51e8400a98578b89d612782d0d80a11a1fbc98a4226270bdfa5202 nodejs-packaging-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm SHA-256: 810088ee03562362c2cb87651afebc2ac7828747678195922304fe1c4000dd97 nodejs-packaging-bundler-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm SHA-256: d7eddc044e39ba3b3835363c93713679f0e16682852970fb8f64135e24c414e1 npm-10.8.2-1.20.20.2.2.module+el9.4.0+24216+64c58546.x86_64.rpm SHA-256: 92a24ce6d4f31b925f3720d3dc099ed5b632ff757f22729152c94e09b5ce995d nodejs-docs-20.20.2-2.module+el9.4.0+24216+64c58546.noarch.rpm SHA-256: c5d0c7473a6991cd958335c81eccbd81d616a6ef473e368380026755c86e47ba nodejs-nodemon-3.0.1-1.module+el9.3.0.z+20478+84a9f781.noarch.rpm SHA-256: 1573bad6fd51e8400a98578b89d612782d0d80a11a1fbc98a4226270bdfa5202 nodejs-packaging-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm SHA-256: 810088ee03562362c2cb87651afebc2ac7828747678195922304fe1c4000dd97 nodejs-packaging-bundler-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm SHA-256: d7eddc044e39ba3b3835363c93713679f0e16682852970fb8f64135e24c414e1 nodejs-docs-20.20.2-2.module+el9.4.0+24216+64c58546.noarch.rpm SHA-256: c5d0c7473a6991cd958335c81eccbd81d616a6ef473e368380026755c86e47ba nodejs-nodemon-3.0.1-1.module+el9.3.0.z+20478+84a9f781.noarch.rpm SHA-256: 1573bad6fd51e8400a98578b89d612782d0d80a11a1fbc98a4226270bdfa5202 nodejs-packaging-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm SHA-256: 810088ee03562362c2cb87651afebc2ac7828747678195922304fe1c4000dd97 nodejs-packaging-bundler-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm SHA-256: d7eddc044e39ba3b3835363c93713679f0e16682852970fb8f64135e24c414e1 nodejs-docs-20.20.2-2.module+el9.4.0+24216+64

Related Articles

HIGH RHSA-2026:9874: Important: nodejs:20 security update Red Hat Errata HIGH RHSA-2026:18059: Important: Red Hat JBoss Enterprise Application Platform 8.1.6 security update Red Hat Errata INFO RHSA-2026:18055: Important: Red Hat JBoss Enterprise Application Platform 8.1.6 security update Red Hat Errata INFO RHSA-2026:18054: Important: Red Hat JBoss Enterprise Application Platform 8.1.6 security update Red Hat Errata
Read Full Article → ← Back to News

Share this article

Twitter Facebook LinkedIn