CVE-2026-21716

EUVD-2026-17180
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.

As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.

This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.3 LOW
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
nodejs
bookworm
18.20.4+dfsg-1~deb12u1
fixed
bookworm (security)
18.20.4+dfsg-1~deb12u2
fixed
bullseye
12.22.12~dfsg-1~deb11u4
fixed
bullseye (security)
12.22.12~dfsg-1~deb11u7
fixed
forky
24.15.0+dfsg+~cs24.12.2-1
fixed
sid
24.15.0+dfsg+~cs24.12.2-1
fixed
trixie
vulnerable
trixie (security)
20.19.2+dfsg-1+deb13u2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nodejs
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
trusty
needs-triage
xenial
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
nodejs20
suse enterprise server 15 SP5
20.20.2-150500.11.27.1
fixed
suse enterprise server 15 SP6
20.20.2-150600.3.18.1
fixed
nodejs20-devel
suse enterprise server 15 SP5
20.20.2-150500.11.27.1
fixed
suse enterprise server 15 SP6
20.20.2-150600.3.18.1
fixed
nodejs20-docs
suse enterprise server 15 SP5
20.20.2-150500.11.27.1
fixed
suse enterprise server 15 SP6
20.20.2-150600.3.18.1
fixed
nodejs22
suse enterprise sap 15 SP7
22.22.2-150700.3.9.1
fixed
suse enterprise server 15 SP6
22.22.2-150600.13.15.1
fixed
suse enterprise server 15 SP7
22.22.2-150700.3.9.1
fixed
nodejs22-devel
suse enterprise sap 15 SP7
22.22.2-150700.3.9.1
fixed
suse enterprise server 15 SP6
22.22.2-150600.13.15.1
fixed
suse enterprise server 15 SP7
22.22.2-150700.3.9.1
fixed
nodejs22-docs
suse enterprise sap 15 SP7
22.22.2-150700.3.9.1
fixed
suse enterprise server 15 SP6
22.22.2-150600.13.15.1
fixed
suse enterprise server 15 SP7
22.22.2-150700.3.9.1
fixed
nodejs24
suse enterprise sap 15 SP7
24.14.1-150700.15.8.1
fixed
suse enterprise server 15 SP7
24.14.1-150700.15.8.1
fixed
nodejs24-devel
suse enterprise sap 15 SP7
24.14.1-150700.15.8.1
fixed
suse enterprise server 15 SP7
24.14.1-150700.15.8.1
fixed
nodejs24-docs
suse enterprise sap 15 SP7
24.14.1-150700.15.8.1
fixed
suse enterprise server 15 SP7
24.14.1-150700.15.8.1
fixed
npm20
suse enterprise server 15 SP5
20.20.2-150500.11.27.1
fixed
suse enterprise server 15 SP6
20.20.2-150600.3.18.1
fixed
npm22
suse enterprise sap 15 SP7
22.22.2-150700.3.9.1
fixed
suse enterprise server 15 SP6
22.22.2-150600.13.15.1
fixed
suse enterprise server 15 SP7
22.22.2-150700.3.9.1
fixed
npm24
suse enterprise sap 15 SP7
24.14.1-150700.15.8.1
fixed
suse enterprise server 15 SP7
24.14.1-150700.15.8.1
fixed
Common Weakness Enumeration
References
https://nodejs.org/en/blog/vulnerability/march-2026-security-releases