Fixed
Created: Jan 20, 2026
Updated: May 11, 2026
Resolved Date: May 7, 2026
Found In Version: 10.25.33.2
Fix Version: 10.25.33.9
Severity: Standard
Applicable for: Wind River Linux LTS 25
Component/s: Userspace
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
