{
  "threat_severity" : "Low",
  "public_date" : "2026-03-30T19:07:28Z",
  "bugzilla" : {
    "description" : "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.",
    "id" : "2453157",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2453157"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-279",
  "details" : [ "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.", "A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-04-13T00:00:00Z",
    "advisory" : "RHSA-2026:7675",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "nodejs24-1:24.14.1-2.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-04-13T00:00:00Z",
    "advisory" : "RHSA-2026:7670",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:24-8100020260408131901.6d880403"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-04-09T00:00:00Z",
    "advisory" : "RHSA-2026:7350",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:24-9070020260402152654.rhel9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-01T00:00:00Z",
    "advisory" : "RHSA-2026:6402",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs24-main-24.14.1-4.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-02T00:00:00Z",
    "advisory" : "RHSA-2026:6431",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs25-main-25.9.0-1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-10T00:00:00Z",
    "advisory" : "RHSA-2026:7386",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs20-main-20.20.0-7.1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-10T00:00:00Z",
    "advisory" : "RHSA-2026:7387",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs22-main-22.22.0-1.3.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "nodejs22",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "nodejs:20/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "nodejs:22/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "nodejs:20/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "nodejs:22/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-21716\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21716\nhttps://nodejs.org/en/blog/vulnerability/march-2026-security-releases" ],
  "name" : "CVE-2026-21716",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}