{"id":"MGASA-2026-0071","summary":"Updated nodejs packages fix security vulnerabilities","details":"Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks\ntry/catch leading to Remote DoS. (CVE-2026-21637)\nDenial of Service via __proto__ header name in req.headersDistinct\n(Uncaught TypeError crashes Node.js process). (CVE-2026-21710)\nTiming side-channel in HMAC verification via memcmp() in crypto_hmac.cc\nleads to potential MAC forgery. (CVE-2026-21713)\nMemory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads\nto resource exhaustion. (CVE-2026-21714)\nPermission Model Bypass in realpathSync.native Allows File Existence\nDisclosure. (CVE-2026-21715)\nCVE-2024-36137 Patch Bypass - FileHandle.chmod/chown. (CVE-2026-21716)\nHashDoS in V8. (CVE-2026-21717)\n","modified":"2026-03-28T07:30:48.436191Z","published":"2026-03-28T07:26:21Z","related":["CVE-2026-21637","CVE-2026-21710","CVE-2026-21713","CVE-2026-21714","CVE-2026-21715","CVE-2026-21716","CVE-2026-21717"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2026-0071.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=35270"},{"type":"REPORT","url":"https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}],"affected":[{"package":{"name":"nodejs","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/nodejs?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"22.22.2-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2026-0071.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}