What is RHSA-2026:7675?

RHSA-2026:7675 is a security advisory published by Red Hat Product Security with High severity. Red Hat Security Advisory: nodejs24 security update

Which CVE IDs does RHSA-2026:7675 cover?

RHSA-2026:7675 covers the following CVE IDs: CVE-2026-21716, CVE-2026-27135, CVE-2026-2581, CVE-2026-26996, CVE-2026-1527, CVE-2026-1528, CVE-2026-21637, CVE-2026-25547, CVE-2026-1525, CVE-2026-1526, CVE-2026-2229, CVE-2026-21711, CVE-2026-21714, CVE-2026-21717, CVE-2026-21710, CVE-2026-21712, CVE-2026-21713, CVE-2026-21715. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of RHSA-2026:7675?

RHSA-2026:7675 has a CVSS v3 base score of 7.5, published by Red Hat Product Security.

RHSA-2026:7675: Red Hat Security Advisory: n…

🔗 CVE IDs covered (18)

CVE-2026-21716 · pendingCVE-2026-27135 →CVE-2026-2581 · pendingCVE-2026-26996 · pendingCVE-2026-1527 · pendingCVE-2026-1528 · pendingCVE-2026-21637 · pendingCVE-2026-25547 →CVE-2026-1525 · pendingCVE-2026-1526 · pendingCVE-2026-2229 · pendingCVE-2026-21711 · pendingCVE-2026-21714 · pendingCVE-2026-21717 →CVE-2026-21710 · pendingCVE-2026-21712 →CVE-2026-21713 →CVE-2026-21715 · pending

📋 Description

CVE-2026-1525 — undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers CVE-2026-1526 — undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression CVE-2026-1527 — undici: Undici: HTTP header injection and request smuggling vulnerability CVE-2026-1528 — undici: undici: Denial of Service via crafted WebSocket frame with large length CVE-2026-2229 — undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter CVE-2026-2581 — undici: Undici: Denial of Service due to uncontrolled resource consumption CVE-2026-21637 — nodejs: Nodejs denial of service CVE-2026-21710 — Node.js: Node.js: Denial of Service due to crafted HTTP __proto__ header CVE-2026-21711 — Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks CVE-2026-21712 — Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing CVE-2026-21713 — Node.js: Node.js: Information disclosure via timing oracle in HMAC verification CVE-2026-21714 — Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames CVE-2026-21715 — Node.js: Node.js: Information disclosure due to fs.realpathSync.native() bypassing filesystem read restrictions CVE-2026-21716 — nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. CVE-2026-21717 — nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions CVE-2026-25547 — brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-26996 — minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-27135 — nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination

🔗 CVE IDs covered (18)

📋 Description

🔗 References (21)