DEBIAN-CVE-2026-21637

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-21637

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21637.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-21637

Upstream

CVE-2026-21637

Published

2026-01-20T21:16:05.950Z

Modified

2026-02-02T22:14:43.509505Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.

References

https://security-tracker.debian.org/tracker/CVE-2026-21637

Affected packages

Debian:11 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

12.*

12.21.0~dfsg-5

12.22.4~dfsg-1

12.22.5~dfsg-1

12.22.5~dfsg-2~11u1

12.22.5~dfsg-2

12.22.5~dfsg-3

12.22.5~dfsg-4

12.22.5~dfsg-5

12.22.5~dfsg-6

12.22.5~dfsg-7

12.22.7~dfsg-1

12.22.7~dfsg-2

12.22.9~dfsg-1

12.22.10~dfsg-1

12.22.10~dfsg-2

12.22.12~dfsg-1~deb11u1

12.22.12~dfsg-1~deb11u2

12.22.12~dfsg-1~deb11u3

12.22.12~dfsg-1~deb11u4

12.22.12~dfsg-1~deb11u5

12.22.12~dfsg-1~deb11u6

12.22.12~dfsg-1~deb11u7

14.*

14.4.0~dfsg-1

14.4.0~dfsg-2

14.7.0~dfsg-1

14.8.0~dfsg-1

14.9.0~dfsg-1

14.11.0~dfsg-1

14.11.0~dfsg-2

14.12.0~dfsg-1

14.13.0~dfsg-1

14.16.0~dfsg-1

14.16.1~dfsg-1

14.17.0~dfsg-1

14.17.0~dfsg-2

16.*

16.11.1~dfsg-1

16.13.0~dfsg-1

16.13.0~dfsg-2

16.13.0~dfsg-3

16.13.0~dfsg-4

16.13.0~dfsg-5

16.13.2~dfsg-1

16.13.2~dfsg-2

16.13.2+really14.19.0~dfsg-1

16.13.2+really14.19.0~dfsg-2

16.13.2+really14.19.1~dfsg-1

16.13.2+really14.19.1~dfsg-2

16.13.2+really14.19.1~dfsg-3

16.13.2+really14.19.1~dfsg-4

16.13.2+really14.19.1~dfsg-5

16.13.2+really14.19.1~dfsg-6

16.14.2+dfsg-1

16.14.2+dfsg-2

16.14.2+dfsg-3

16.14.2+dfsg-4

16.14.2+dfsg-5

16.14.2+dfsg1-1

16.15.0+dfsg-1

16.15.1+dfsg-1

18.*

18.3.0+dfsg-1

18.4.0+dfsg-1

18.4.0+dfsg-2

18.6.0+dfsg-1

18.6.0+dfsg-2

18.6.0+dfsg-3

18.6.0+dfsg-4

18.6.0+dfsg-5

18.7.0+dfsg-1

18.7.0+dfsg-4

18.7.0+dfsg-5

18.8.0+dfsg-1

18.10.0+dfsg-1

18.10.0+dfsg-2

18.10.0+dfsg-3

18.10.0+dfsg-4

18.10.0+dfsg-5

18.10.0+dfsg-6

18.11.0+dfsg-1

18.11.0+dfsg-2

18.11.0+dfsg-3

18.11.0+dfsg-4

18.12.0+dfsg-1

18.12.1+dfsg-1

18.12.1+dfsg-2

18.12.1+dfsg-2+0.riscv64.1

18.13.0+dfsg-1

18.13.0+dfsg1-1

18.13.0+dfsg1-1.1

18.19.0+dfsg-1

18.19.0+dfsg-2

18.19.0+dfsg-3

18.19.0+dfsg-4

18.19.0+dfsg-5

18.19.0+dfsg-6~deb12u1

18.19.0+dfsg-6~deb12u2

18.19.0+dfsg-6

18.19.1+dfsg-1

18.19.1+dfsg-2

18.19.1+dfsg-3

18.19.1+dfsg-3.1

18.19.1+dfsg-4

18.19.1+dfsg-6

18.20.1+dfsg-1

18.20.1+dfsg-2

18.20.1+dfsg-3

18.20.1+dfsg-4

18.20.4+dfsg-1~deb12u1

20.*

20.10.0+dfsg-1

20.12.2+dfsg-1

20.13.0+dfsg-1

20.13.1+dfsg-1

20.13.1+dfsg-2

20.14.0+dfsg-1

20.14.0+dfsg-2

20.14.0+dfsg-3

20.15.0+dfsg-1

20.15.1+dfsg-1

20.16.0+dfsg-1

20.17.0+dfsg-1

20.17.0+dfsg-2

20.18.0+dfsg-1

20.18.0+dfsg-2

20.18.1+dfsg-1

20.18.1+dfsg-2

20.18.2+dfsg-1

20.18.2+dfsg-2

20.18.2+dfsg-3

20.18.2+dfsg-4

20.18.3+dfsg-1

20.19.0+dfsg-1

20.19.0+dfsg-2

20.19.0+dfsg1-1

20.19.2+dfsg-1

20.19.4+dfsg-1

20.19.5+dfsg+~cs20.19.12-1

20.19.5+dfsg+~cs20.19.12-2

20.19.5+dfsg+~cs20.19.12-3

20.19.5+dfsg+~cs20.19.12-4

20.19.5+dfsg+~cs20.19.24-1

22.*

22.12.0+dfsg-1

22.12.0+dfsg-2

22.12.0+dfsg-3

22.14.0+dfsg-1

22.18.0+dfsg-1

22.18.0+dfsg+~cs22.17.2-1

22.18.0+dfsg+~cs22.17.2-2

22.19.0+dfsg+~cs22.18.0-1

22.21.1+dfsg+~cs22.19.0-1

22.21.1+dfsg+~cs22.19.0-2

22.21.1+dfsg+~cs22.19.0-3

22.21.1+dfsg+~cs22.19.0-4

22.21.1+dfsg+~cs22.19.0-5

22.21.1+dfsg+~cs22.19.0-6

22.22.0+dfsg+~cs22.19.6-1

24.*

24.11.1+dfsg+~cs24.10.1-1

24.11.1+dfsg+~cs24.10.1-2

24.12.0+dfsg+~cs24.10.4-1

24.13.0+dfsg+~cs24.10.7-1

24.13.0+dfsg+~cs24.10.7-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21637.json"

Debian:12 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

18.*

18.13.0+dfsg1-1

18.13.0+dfsg1-1.1

18.19.0+dfsg-1

18.19.0+dfsg-2

18.19.0+dfsg-3

18.19.0+dfsg-4

18.19.0+dfsg-5

18.19.0+dfsg-6~deb12u1

18.19.0+dfsg-6~deb12u2

18.19.0+dfsg-6

18.19.1+dfsg-1

18.19.1+dfsg-2

18.19.1+dfsg-3

18.19.1+dfsg-3.1

18.19.1+dfsg-4

18.19.1+dfsg-6

18.20.1+dfsg-1

18.20.1+dfsg-2

18.20.1+dfsg-3

18.20.1+dfsg-4

18.20.4+dfsg-1~deb12u1

20.*

20.10.0+dfsg-1

20.12.2+dfsg-1

20.13.0+dfsg-1

20.13.1+dfsg-1

20.13.1+dfsg-2

20.14.0+dfsg-1

20.14.0+dfsg-2

20.14.0+dfsg-3

20.15.0+dfsg-1

20.15.1+dfsg-1

20.16.0+dfsg-1

20.17.0+dfsg-1

20.17.0+dfsg-2

20.18.0+dfsg-1

20.18.0+dfsg-2

20.18.1+dfsg-1

20.18.1+dfsg-2

20.18.2+dfsg-1

20.18.2+dfsg-2

20.18.2+dfsg-3

20.18.2+dfsg-4

20.18.3+dfsg-1

20.19.0+dfsg-1

20.19.0+dfsg-2

20.19.0+dfsg1-1

20.19.2+dfsg-1

20.19.4+dfsg-1

20.19.5+dfsg+~cs20.19.12-1

20.19.5+dfsg+~cs20.19.12-2

20.19.5+dfsg+~cs20.19.12-3

20.19.5+dfsg+~cs20.19.12-4

20.19.5+dfsg+~cs20.19.24-1

22.*

22.12.0+dfsg-1

22.12.0+dfsg-2

22.12.0+dfsg-3

22.14.0+dfsg-1

22.18.0+dfsg-1

22.18.0+dfsg+~cs22.17.2-1

22.18.0+dfsg+~cs22.17.2-2

22.19.0+dfsg+~cs22.18.0-1

22.21.1+dfsg+~cs22.19.0-1

22.21.1+dfsg+~cs22.19.0-2

22.21.1+dfsg+~cs22.19.0-3

22.21.1+dfsg+~cs22.19.0-4

22.21.1+dfsg+~cs22.19.0-5

22.21.1+dfsg+~cs22.19.0-6

22.22.0+dfsg+~cs22.19.6-1

24.*

24.11.1+dfsg+~cs24.10.1-1

24.11.1+dfsg+~cs24.10.1-2

24.12.0+dfsg+~cs24.10.4-1

24.13.0+dfsg+~cs24.10.7-1

24.13.0+dfsg+~cs24.10.7-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21637.json"

Debian:13 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.19.2+dfsg-1

20.19.4+dfsg-1

20.19.5+dfsg+~cs20.19.12-1

20.19.5+dfsg+~cs20.19.12-2

20.19.5+dfsg+~cs20.19.12-3

20.19.5+dfsg+~cs20.19.12-4

20.19.5+dfsg+~cs20.19.24-1

22.*

22.12.0+dfsg-1

22.12.0+dfsg-2

22.12.0+dfsg-3

22.14.0+dfsg-1

22.18.0+dfsg-1

22.18.0+dfsg+~cs22.17.2-1

22.18.0+dfsg+~cs22.17.2-2

22.19.0+dfsg+~cs22.18.0-1

22.21.1+dfsg+~cs22.19.0-1

22.21.1+dfsg+~cs22.19.0-2

22.21.1+dfsg+~cs22.19.0-3

22.21.1+dfsg+~cs22.19.0-4

22.21.1+dfsg+~cs22.19.0-5

22.21.1+dfsg+~cs22.19.0-6

22.22.0+dfsg+~cs22.19.6-1

24.*

24.11.1+dfsg+~cs24.10.1-1

24.11.1+dfsg+~cs24.10.1-2

24.12.0+dfsg+~cs24.10.4-1

24.13.0+dfsg+~cs24.10.7-1

24.13.0+dfsg+~cs24.10.7-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21637.json"

Debian:14 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

22.22.0+dfsg+~cs22.19.6-1

Affected versions

20.*

20.19.2+dfsg-1

20.19.4+dfsg-1

20.19.5+dfsg+~cs20.19.12-1

20.19.5+dfsg+~cs20.19.12-2

20.19.5+dfsg+~cs20.19.12-3

20.19.5+dfsg+~cs20.19.12-4

20.19.5+dfsg+~cs20.19.24-1

22.*

22.12.0+dfsg-1

22.12.0+dfsg-2

22.12.0+dfsg-3

22.14.0+dfsg-1

22.18.0+dfsg-1

22.18.0+dfsg+~cs22.17.2-1

22.18.0+dfsg+~cs22.17.2-2

22.19.0+dfsg+~cs22.18.0-1

22.21.1+dfsg+~cs22.19.0-1

22.21.1+dfsg+~cs22.19.0-2

22.21.1+dfsg+~cs22.19.0-3

22.21.1+dfsg+~cs22.19.0-4

22.21.1+dfsg+~cs22.19.0-5

22.21.1+dfsg+~cs22.19.0-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-21637.json"