2431350 – (CVE-2025-55131) CVE-2025-55131 nodejs: Nodejs uninitialized memory exposure

Bug 2431350 (CVE-2025-55131) - CVE-2025-55131 nodejs: Nodejs uninitialized memory exposure

Summary: CVE-2025-55131 nodejs: Nodejs uninitialized memory exposure

Keywords:
Status:	NEW
Alias:	CVE-2025-55131
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2431479 2431481 2431485 2431488 2431491 2431495 2431498
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-20 21:03 UTC by OSIDB Bzimport
Modified:	2026-02-18 08:36 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2026:2447	None	None	None	2026-02-10 14:22:53 UTC
Red Hat Product Errata	RHBA-2026:2815	None	None	None	2026-02-17 11:23:55 UTC
Red Hat Product Errata	RHSA-2026:1842	None	None	None	2026-02-05 15:58:36 UTC
Red Hat Product Errata	RHSA-2026:1843	None	None	None	2026-02-05 15:58:27 UTC
Red Hat Product Errata	RHSA-2026:2420	None	None	None	2026-02-10 12:45:30 UTC
Red Hat Product Errata	RHSA-2026:2421	None	None	None	2026-02-10 12:45:09 UTC
Red Hat Product Errata	RHSA-2026:2422	None	None	None	2026-02-10 12:44:49 UTC
Red Hat Product Errata	RHSA-2026:2767	None	None	None	2026-02-17 00:39:45 UTC
Red Hat Product Errata	RHSA-2026:2768	None	None	None	2026-02-17 00:58:28 UTC
Red Hat Product Errata	RHSA-2026:2781	None	None	None	2026-02-17 09:25:20 UTC
Red Hat Product Errata	RHSA-2026:2782	None	None	None	2026-02-17 09:26:16 UTC
Red Hat Product Errata	RHSA-2026:2783	None	None	None	2026-02-17 09:25:39 UTC
Red Hat Product Errata	RHSA-2026:2864	None	None	None	2026-02-18 02:24:27 UTC
Red Hat Product Errata	RHSA-2026:2899	None	None	None	2026-02-18 08:36:58 UTC

Description OSIDB Bzimport 2026-01-20 21:03:10 UTC

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.

Comment 2 errata-xmlrpc 2026-02-05 15:58:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1843 https://access.redhat.com/errata/RHSA-2026:1843

Comment 3 errata-xmlrpc 2026-02-05 15:58:35 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1842 https://access.redhat.com/errata/RHSA-2026:1842

Comment 4 errata-xmlrpc 2026-02-10 12:44:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:2422 https://access.redhat.com/errata/RHSA-2026:2422

Comment 5 errata-xmlrpc 2026-02-10 12:45:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:2421 https://access.redhat.com/errata/RHSA-2026:2421

Comment 6 errata-xmlrpc 2026-02-10 12:45:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:2420 https://access.redhat.com/errata/RHSA-2026:2420

Comment 7 errata-xmlrpc 2026-02-17 00:39:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:2767 https://access.redhat.com/errata/RHSA-2026:2767

Comment 8 errata-xmlrpc 2026-02-17 00:58:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:2768 https://access.redhat.com/errata/RHSA-2026:2768

Comment 9 errata-xmlrpc 2026-02-17 09:25:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2781 https://access.redhat.com/errata/RHSA-2026:2781

Comment 10 errata-xmlrpc 2026-02-17 09:25:38 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2783 https://access.redhat.com/errata/RHSA-2026:2783

Comment 11 errata-xmlrpc 2026-02-17 09:26:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2782 https://access.redhat.com/errata/RHSA-2026:2782

Comment 12 errata-xmlrpc 2026-02-18 02:24:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:2864 https://access.redhat.com/errata/RHSA-2026:2864

Comment 13 errata-xmlrpc 2026-02-18 08:36:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:2899 https://access.redhat.com/errata/RHSA-2026:2899

Note You need to log in before you can comment on or make changes to this bug.