Red Hat has issued an Important security update for the Node.js 20 module on RHEL 9.6 EUS to address four Denial of Service vulnerabilities: two in the `minimatch` library via crafted glob patterns causing catastrophic backtracking (CVE-2026-26996 & CVE-2026-27904, CVSS 7.5 High), one in `nghttp2` via malformed HTTP/2 frames after session termination (CVE-2026-27135, CVSS 7.5 High), and one in Node.js itself via a crafted HTTP `__proto__` header (CVE-2026-21710). The specific fixed versions for the libraries are `minimatch` 3.1.3/4.2.4/5.1.7/6.2.1/7.4.7/8.0.5/9.0.6/10.2.1 for the first CVE and 3.1.4/4.2.5/5.1.8/6.2.2/7.4.8/8.0.6/9.0.7/10.2.3 for the second, and `nghttp2` 1.68.1.
Red Hat Product Errata RHSA-2026:9874 - Security Advisory Issued: 2026-04-22 Updated: 2026-04-22 RHSA-2026:9874 - Security Advisory Overview Updated Packages Synopsis Important: nodejs:20 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 9.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996) minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904) nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135) Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64 Red Hat Enterprise Linux Server - AUS 9.6 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.6 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.6 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.6 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.6 s390x Fixes BZ - 2441268 - CVE-2026-26996 minimatch: minimatch: Denial of Service via specially crafted glob patterns BZ - 2442922 - CVE-2026-27904 minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions BZ - 2448754 - CVE-2026-27135 nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination BZ - 2453151 - CVE-2026-21710 Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header CVEs CVE-2026-21710 CVE-2026-26996 CVE-2026-27135 CVE-2026-27904 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 SRPM nodejs-20.20.2-2.module+el9.6.0+24220+c44c288d.src.rpm SHA-256: 1a97b66b0ef9546241fda65c82421e39bf4aab2a9b94351f4d6a26f23dca7c6a nodejs-nodemon-3.0.1-1.module+el9.6.0+23146+be9976bd.src.rpm SHA-256: 42465bb0c4d52fd6e69f43936ba5c38ee7cb2731fcfbbe38346b377504bdc221 nodejs-packaging-2021.06-4.module+el9.6.0+23146+be9976bd.src.rpm SHA-256: 060ff3a66c2df1b26d23a67fef68fa0e71e1b3410afb286909367b15ddea676d x86_64 nodejs-docs-20.20.2-2.module+el9.6.0+24220+c44c288d.noarch.rpm SHA-256: b91f7cf0e3db162c4ae0a4a7089cf00cfc5f5c0e709dbb7c6ebb9e4195215ae6 nodejs-nodemon-3.0.1-1.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: 71a8377d0ff60ec20d4ff236d5550541ee8bd26071c2aba453494c64aa1df77a nodejs-packaging-2021.06-4.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: 462e0fe02f348af6a1bb7fb1ea5313968b565e01323681011fbfb5e93c2a3aae nodejs-packaging-bundler-2021.06-4.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: d0e90e2e295b80ad39671c6e28ddb007a26a0f101c0aa67dfeaf99aaa323f145 nodejs-docs-20.20.2-2.module+el9.6.0+24220+c44c288d.noarch.rpm SHA-256: b91f7cf0e3db162c4ae0a4a7089cf00cfc5f5c0e709dbb7c6ebb9e4195215ae6 nodejs-nodemon-3.0.1-1.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: 71a8377d0ff60ec20d4ff236d5550541ee8bd26071c2aba453494c64aa1df77a nodejs-packaging-2021.06-4.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: 462e0fe02f348af6a1bb7fb1ea5313968b565e01323681011fbfb5e93c2a3aae nodejs-packaging-bundler-2021.06-4.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: d0e90e2e295b80ad39671c6e28ddb007a26a0f101c0aa67dfeaf99aaa323f145 nodejs-docs-20.20.2-2.module+el9.6.0+24220+c44c288d.noarch.rpm SHA-256: b91f7cf0e3db162c4ae0a4a7089cf00cfc5f5c0e709dbb7c6ebb9e4195215ae6 nodejs-nodemon-3.0.1-1.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: 71a8377d0ff60ec20d4ff236d5550541ee8bd26071c2aba453494c64aa1df77a nodejs-packaging-2021.06-4.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: 462e0fe02f348af6a1bb7fb1ea5313968b565e01323681011fbfb5e93c2a3aae nodejs-packaging-bundler-2021.06-4.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: d0e90e2e295b80ad39671c6e28ddb007a26a0f101c0aa67dfeaf99aaa323f145 nodejs-20.20.2-2.module+el9.6.0+24220+c44c288d.x86_64.rpm SHA-256: 8afc611914890edae9c49d03fd2b912d1283340b905f958e4b0a8bdeb38779b1 nodejs-debuginfo-20.20.2-2.module+el9.6.0+24220+c44c288d.x86_64.rpm SHA-256: 6b182d1d938552f7a81e20408210c0aedface5547380b97f2a43c459da98de55 nodejs-debugsource-20.20.2-2.module+el9.6.0+24220+c44c288d.x86_64.rpm SHA-256: b718f8d474b458f10a4ddd3182d63762af562a0e3d8cca6032acba5f21ef868a nodejs-devel-20.20.2-2.module+el9.6.0+24220+c44c288d.x86_64.rpm SHA-256: a97f3db48d185160628dcd7f06dc280042d79cfa703e1ffa8682344c39723f2d nodejs-docs-20.20.2-2.module+el9.6.0+24220+c44c288d.noarch.rpm SHA-256: b91f7cf0e3db162c4ae0a4a7089cf00cfc5f5c0e709dbb7c6ebb9e4195215ae6 nodejs-full-i18n-20.20.2-2.module+el9.6.0+24220+c44c288d.x86_64.rpm SHA-256: cc3b3cc5e816c94a21db48ecb5c7862c0c69ff2bbc50de48515e4d3afd879dcf nodejs-nodemon-3.0.1-1.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: 71a8377d0ff60ec20d4ff236d5550541ee8bd26071c2aba453494c64aa1df77a nodejs-packaging-2021.06-4.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: 462e0fe02f348af6a1bb7fb1ea5313968b565e01323681011fbfb5e93c2a3aae nodejs-packaging-bundler-2021.06-4.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: d0e90e2e295b80ad39671c6e28ddb007a26a0f101c0aa67dfeaf99aaa323f145 npm-10.8.2-1.20.20.2.2.module+el9.6.0+24220+c44c288d.x86_64.rpm SHA-256: 255668523426d132c10258469c3978a966659af7e1efa42433c3d3234ca76b38 Red Hat Enterprise Linux Server - AUS 9.6 SRPM nodejs-20.20.2-2.module+el9.6.0+24220+c44c288d.src.rpm SHA-256: 1a97b66b0ef9546241fda65c82421e39bf4aab2a9b94351f4d6a26f23dca7c6a nodejs-nodemon-3.0.1-1.module+el9.6.0+23146+be9976bd.src.rpm SHA-256: 42465bb0c4d52fd6e69f43936ba5c38ee7cb2731fcfbbe38346b377504bdc221 nodejs-packaging-2021.06-4.module+el9.6.0+23146+be9976bd.src.rpm SHA-256: 060ff3a66c2df1b26d23a67fef68fa0e71e1b3410afb286909367b15ddea676d x86_64 nodejs-docs-20.20.2-2.module+el9.6.0+24220+c44c288d.noarch.rpm SHA-256: b91f7cf0e3db162c4ae0a4a7089cf00cfc5f5c0e709dbb7c6ebb9e4195215ae6 nodejs-nodemon-3.0.1-1.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: 71a8377d0ff60ec20d4ff236d5550541ee8bd26071c2aba453494c64aa1df77a nodejs-packaging-2021.06-4.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: 462e0fe02f348af6a1bb7fb1ea5313968b565e01323681011fbfb5e93c2a3aae nodejs-packaging-bundler-2021.06-4.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: d0e90e2e295b80ad39671c6e28ddb007a26a0f101c0aa67dfeaf99aaa323f145 nodejs-docs-20.20.2-2.module+el9.6.0+24220+c44c288d.noarch.rpm SHA-256: b91f7cf0e3db162c4ae0a4a7089cf00cfc5f5c0e709dbb7c6ebb9e4195215ae6 nodejs-nodemon-3.0.1-1.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: 71a8377d0ff60ec20d4ff236d5550541ee8bd26071c2aba453494c64aa1df77a nodejs-packaging-2021.06-4.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: 462e0fe02f348af6a1bb7fb1ea5313968b565e01323681011fbfb5e93c2a3aae nodejs-packaging-bundler-2021.06-4.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: d0e90e2e295b80ad39671c6e28ddb007a26a0f101c0aa67dfeaf99aaa323f145 nodejs-docs-20.20.2-2.module+el9.6.0+24220+c44c288d.noarch.rpm SHA-256: b91f7cf0e3db162c4ae0a4a7089cf00cfc5f5c0e709dbb7c6ebb9e4195215ae6 nodejs-nodemon-3.0.1-1.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: 71a8377d0ff60ec20d4ff236d5550541ee8bd26071c2aba453494c64aa1df77a nodejs-packaging-2021.06-4.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: 462e0fe02f348af6a1bb7fb1ea5313968b565e01323681011fbfb5e93c2a3aae nodejs-packaging-bundler-2021.06-4.module+el9.6.0+23146+be9976bd.noarch.rpm SHA-256: d0e90e2e295b80ad39671c6e28ddb007a26a0f101c0aa67dfeaf99aaa323f145 nodejs-20.20.2-2.module+el9.6.0+24220+c44c288d.x86_64.rpm SHA-256: 8afc611914890edae9c49d03fd2b912d1283340b905f958e4b0a8bdeb38779b1 nodejs-debuginfo-20.20.2-2.module+el9.6.0+24220+c44c288d.x86_64.rpm SHA-256: 6b182d1d938552f7a81e20408210c0aedface5547380b97f2a43c459da98de55 nodejs-debugsource-20.20.2-2.module+el9.6.0+24220+c44c288d.x86_64.rpm SHA-256: b718f8d474b458f10a4ddd3182d63762af562a0e3d8cca6032acba5f21ef868a nodejs-devel-20.20.2-2.module+el9.6.0+24220+c44c288d.x86_64.rpm SHA-256: a97f3db48d185160628dcd7f06dc280042d79cfa703e1ffa8682344c39723f2d nodejs-docs-20.20.2-2.module+el9.6.0+24220+c44c288d.noarch.rpm SHA-256: b91f7cf0e3db162c4ae0a4a7089cf00cfc5f5c0e709dbb7c6ebb9e4195215ae6 nodejs-full-i18n-20.20.2-2.module+el9.6.0+24220+c44c288d.x86_64.rpm SHA-256: cc3b3cc5e816c94a21db48ecb5c7862c0c69ff2bbc50de48515e4d3afd879dcf nodejs-nodemon-3.0.1-1.module+el9.6.0+23146+be9976bd.noarch.rpm