PT-2026-3360 · Node.Js+2 · Node.Js+2

0Xmaxhax

·

Published

2026-01-01

·

Updated

2026-05-18

·

CVE-2026-21637

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Node.js versions (affected versions not specified)
Description A flaw in Node.js TLS error handling can allow remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths, potentially leading to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. The issue is related to incorrect cleanup or release of resources within the pskCallback() and ALPNCallback() functions.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

Improper Resource Release

Resource Exhaustion

Weakness Enumeration

CWE-404CWE-400

Related Identifiers

ALSA-2026:1842
ALSA-2026:1843
ALSA-2026:2420
ALSA-2026:2421
ALSA-2026:2422
ALSA-2026:2781
ALSA-2026:2782
ALSA-2026:2783
ALSA-2026:7350
ALSA-2026:7670
ALSA-2026:7675
AZL-75080
BDU:2026-00548
BIT-NODE-2026-21637
BIT-NODE-MIN-2026-21637
CLEANSTART-2026-AD27625
CLEANSTART-2026-FN55648
CLEANSTART-2026-HD58055
CLEANSTART-2026-KS09647
CLEANSTART-2026-OW14897
CLEANSTART-2026-QY24299
CLEANSTART-2026-TW25027
CLEANSTART-2026-TZ34913
CLEANSTART-2026-UJ06223
CVE-2026-21637
MGASA-2026-0009
MGASA-2026-0071
OESA-2026-1218
OESA-2026-1219
OESA-2026-1220
OESA-2026-1221
OPENSUSE-SU-2026:10062-1
OPENSUSE-SU-2026:10074-1
OPENSUSE-SU-2026:20236-1
OPENSUSE-SU-2026:20519-1
RHSA-2026:1842
RHSA-2026:1843
RHSA-2026:2420
RHSA-2026:2421
RHSA-2026:2422
RHSA-2026:2767
RHSA-2026:2768
RHSA-2026:2781
RHSA-2026:2782
RHSA-2026:2783
RHSA-2026:2864
RHSA-2026:2899
RHSA-2026:6402
RHSA-2026:6431
RHSA-2026:7350
RHSA-2026:7386
RHSA-2026:7387
RHSA-2026:7670
RHSA-2026:7675
SUSE-SU-2026:0295-1
SUSE-SU-2026:0301-1
SUSE-SU-2026:0435-1
SUSE-SU-2026:0457-1
SUSE-SU-2026:1299-1
SUSE-SU-2026:1363-1
SUSE-SU-2026:1371-1
SUSE-SU-2026:1478-1
SUSE-SU-2026:1509-1
SUSE-SU-2026:20436-1
SUSE-SU-2026:21181-1

Affected Products

Node.Js
Red Os
Rocky Linux