Detections
Analytics

SUSE SLES15 Security Update : nodejs20 (SUSE-SU-2026:1363-1)

high Nessus Plugin ID 306701

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1363-1 advisory.

 Update to version 20.20.2.

 - CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for performance degradation via a crafted request (bsc#1260494).
 - CVE-2026-21716: incomplete fix for CVE-2024-36137 allows promise-based FileHandle methods to be used to modify file permissions and ownership on already-open file descriptors (bsc#1260462).
 - CVE-2026-21715: flaw in the Permission Model filesystem enforcement allows for file existence disclosure and filesystem path enumeration via `fs.realpathSync.native()` (bsc#1260482).
 - CVE-2026-21714: memory leak in Node.js HTTP/2 server allows for resource exhaustion via `WINDOW_UPDATE` frames sent on stream 0 (bsc#1260480).
 - CVE-2026-21713: timing side-channel due to flaw in Node.js HMAC verification allows for discovery of HMAC values and potential MAC forgery (bsc#1260463).
 - CVE-2026-21710: uncaught `TypeError` when handling HTTP requests allows for a process crash via requests with a header named `__proto__` when the application accesses `req.headersDistinct` (bsc#1260455).
 - CVE-2026-21637: flaw in TLS error handling allows for resource exhaustion and crash when `pskCallback` or `ALPNCallback` are in use (bsc#1256576).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected nodejs20, nodejs20-devel, nodejs20-docs and / or npm20 packages.

See Also

https://bugzilla.suse.com/1256576

https://bugzilla.suse.com/1260455

https://bugzilla.suse.com/1260462

https://bugzilla.suse.com/1260463

https://bugzilla.suse.com/1260480

https://bugzilla.suse.com/1260482

https://bugzilla.suse.com/1260494

https://lists.suse.com/pipermail/sle-updates/2026-April/045554.html

https://www.suse.com/security/cve/CVE-2026-21637

https://www.suse.com/security/cve/CVE-2026-21710

https://www.suse.com/security/cve/CVE-2026-21713

https://www.suse.com/security/cve/CVE-2026-21714

https://www.suse.com/security/cve/CVE-2026-21715

https://www.suse.com/security/cve/CVE-2026-21716

https://www.suse.com/security/cve/CVE-2026-21717

Plugin Details

Severity: High

ID: 306701

File Name: suse_SU-2026-1363-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 4/16/2026

Updated: 4/16/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-21637

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:nodejs20-devel, p-cpe:/a:novell:suse_linux:nodejs20-docs, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:npm20, p-cpe:/a:novell:suse_linux:nodejs20

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/15/2026

Vulnerability Publication Date: 1/13/2026

Reference Information

CVE: CVE-2026-21637, CVE-2026-21710, CVE-2026-21713, CVE-2026-21714, CVE-2026-21715, CVE-2026-21716, CVE-2026-21717

SuSE: SUSE-SU-2026:1363-1