<Vulnerability name="CVE-2026-48619">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-26T01:14:36</PublicDate>
    <Bugzilla id="2493325" url="https://bugzilla.redhat.com/show_bug.cgi?id=2493325" xml:lang="en:us">
nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>5.3</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-770</CWE>
    <Details xml:lang="en:us" source="Mitre">
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.

This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service.
    </Details>
    <Statement xml:lang="en:us">
This Moderate flaw in the Node.js HTTP/2 client can lead to a denial of service. A malicious server could exploit this by sending an excessive number of ORIGIN frames, causing the client to consume all available memory. This affects Red Hat products utilizing Node.js as an HTTP/2 client.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <AffectedRelease cpe="cpe:/o:redhat:enterprise_linux:10.2">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <ReleaseDate>2026-07-06T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:35841">RHSA-2026:35841</Advisory>
        <Package name="nodejs24">nodejs24-1:24.18.0-1.el10_2</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/o:redhat:enterprise_linux:10.2">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <ReleaseDate>2026-07-06T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:35842">RHSA-2026:35842</Advisory>
        <Package name="nodejs22">nodejs22-1:22.23.1-2.el10_2</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <ReleaseDate>2026-07-15T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:39868">RHSA-2026:39868</Advisory>
        <Package name="nodejs:24">nodejs:24-8100020260630152626.6d880403</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <ReleaseDate>2026-07-06T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:35891">RHSA-2026:35891</Advisory>
        <Package name="nodejs:24">nodejs:24-9080020260626074955.rhel9</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <ReleaseDate>2026-07-06T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:35892">RHSA-2026:35892</Advisory>
        <Package name="nodejs:22">nodejs:22-9080020260626075442.rhel9</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-06-30T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:33866">RHSA-2026:33866</Advisory>
        <Package name="nodejs26-main">nodejs26-main-26.4.0-1.3.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-01T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:34478">RHSA-2026:34478</Advisory>
        <Package name="nodejs24-main">nodejs24-main-24.18.0-0.2.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-03T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:35272">RHSA-2026:35272</Advisory>
        <Package name="nodejs22-main">nodejs22-main-22.23.1-2.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-04-10T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:7378">RHSA-2026:7378</Advisory>
        <Package name="nodejs25-main">nodejs25-main-25.9.0-1.1.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-04-21T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:9455">RHSA-2026:9455</Advisory>
        <Package name="nodejs20-main">nodejs20-main-20.20.2-1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>nodejs</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-48619
https://nvd.nist.gov/vuln/detail/CVE-2026-48619
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases
    </References>
</Vulnerability>