CVE-2026-21716

CVSS v3.1

3.3

Low

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Node.js versions 20.x through 25.x

Description An incomplete fix allows bypassing of intended write restrictions when using the Permission Model with restricted --allow-fs-write. Specifically, the FileHandle.chmod() and FileHandle.chown() methods within the promises API lack the necessary permission checks, while their callback-based counterparts (fs.fchmod(), fs.fchown()) were patched correctly. This allows code running with restricted permissions to modify file permissions and ownership on already-open file descriptors. The vulnerable API endpoints are FileHandle.chmod() and FileHandle.chown(). The vulnerable variables are file permissions and ownership.

Recommendations Update to a version beyond 25.x when available.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-769

Related Identifiers

ALSA-2026:7350

ALSA-2026:7670

ALSA-2026:7675

BDU:2026-04837

BIT-NODE-2026-21716

BIT-NODE-MIN-2026-21716

CVE-2026-21716

MGASA-2026-0071

OESA-2026-1951

OESA-2026-1952

OESA-2026-1953

OESA-2026-1954

OPENSUSE-SU-2026:10504-1

OPENSUSE-SU-2026:20519-1

RHSA-2026:6402

RHSA-2026:6431

RHSA-2026:7350

RHSA-2026:7386

RHSA-2026:7387

RHSA-2026:7670

RHSA-2026:7675

SUSE-SU-2026:1299-1

SUSE-SU-2026:1363-1

SUSE-SU-2026:1371-1

SUSE-SU-2026:1478-1

SUSE-SU-2026:1509-1

SUSE-SU-2026:21181-1

Affected Products

Node.Js

Rocky Linux

CVE-2026-21716

Weakness Enumeration

Related Identifiers

Affected Products

References · 121