Detections
Analytics

TencentOS Server 4: nodejs20 (TSSA-2026:0186)

critical Nessus Plugin ID 310960

Synopsis

The remote TencentOS Server 4 host is missing one or more security updates.

Description

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0186 advisory.

 Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

 CVE-2026-2229:
 ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of theserver_max_window_bitsparameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-rangeserver_max_window_bitsvalue (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.

 The vulnerability exists because:

 * TheisValidClientWindowBits()function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
 * ThecreateInflateRaw()call is not wrapped in a try-catch block
 * The resulting exception propagates up through the call stack and crashes the Node.js process

 CVE-2026-1528:
 ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

 Patches

 Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

 CVE-2026-1526:
 The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a decompression bomb) that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.

 The vulnerability exists in thePerMessageDeflate.decompress()method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.

 CVE-2026-1525:
 Undici allows duplicate HTTPContent-Lengthheaders when they are provided in an array with case-variant names (e.g.,Content-Lengthandcontent-length). This produces malformed HTTP/1.1 requests with multiple conflictingContent-Lengthvalues on the wire.

 Who is impacted:

 * Applications usingundici.request(),undici.Client, or similar low-level APIs with headers passed as flat arrays
 * Applications that accept user-controlled header names without case-normalization


 Potential consequences:

 * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicateContent- Lengthheaders (400 Bad Request)
 * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://mirrors.tencent.com/tlinux/errata/tssa-20260186.xml

Plugin Details

Severity: Critical

ID: 310960

File Name: tencentos_TSSA_2026_0186.nasl

Version: 1.1

Type: Local

Published: 4/29/2026

Updated: 4/29/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-1525

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:tencent:tencentos_server:nodejs20, cpe:/o:tencent:tencentos_server:4

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/23/2026

Vulnerability Publication Date: 3/12/2026

Reference Information

CVE: CVE-2026-1525, CVE-2026-1526, CVE-2026-1528, CVE-2026-2229