CVE-2026-21716 is a vulnerability in the Node.js runtime environment affecting versions 20.20.1, 22.22.1, 24.14.0, and 25.8.1 that implement the Permission Model with restricted --allow-fs-write flags. The vulnerability stems from an incomplete fix for CVE-2024-36137, where the promise-based FileHandle API methods chmod() and chown() do not enforce the necessary permission checks to restrict file system write operations. In contrast, the callback-based equivalents fs.fchmod() and fs.fchown() were correctly patched to enforce these restrictions. This discrepancy allows code running with limited file system write permissions to bypass these restrictions by using the promise-based FileHandle methods to modify file permissions and ownership on already-open file descriptors. The vulnerability requires local privileges (process running with restricted permissions) and does not require user interaction. The impact is limited to integrity, as unauthorized changes to file permissions or ownership could lead to privilege escalation or unauthorized file modifications. The CVSS v3.0 base score is 3.3, reflecting low severity due to the limited attack vector (local), required privileges, and lack of confidentiality or availability impact. No known exploits have been reported in the wild. The vulnerability affects Node.js processes that utilize the Permission Model with the --allow-fs-write flag intentionally restricted, which is a security feature to limit file system write capabilities. This vulnerability highlights the importance of consistent permission enforcement across different API variants within the same platform. Organizations relying on Node.js for secure environments, especially those using the Permission Model to sandbox or restrict file system access, should be aware of this gap and monitor for patches or updates from the Node.js project.

The primary impact of CVE-2026-21716 is on the integrity of file system permissions and ownership within Node.js applications running under restricted permission models. Attackers or malicious code with local access and limited file system write permissions can exploit this vulnerability to escalate privileges by modifying file permissions or ownership on already-open file descriptors, bypassing intended security restrictions. This can lead to unauthorized file modifications, potential privilege escalation, or circumvention of security policies designed to restrict file system writes. Although the vulnerability does not affect confidentiality or availability directly, the integrity compromise can facilitate further attacks or persistence mechanisms. The scope is limited to environments using the Node.js Permission Model with restricted --allow-fs-write flags, which may be common in secure or sandboxed deployments. Since exploitation requires local privileges, remote exploitation is unlikely without prior access. The absence of known exploits in the wild reduces immediate risk, but the vulnerability represents a security gap that could be leveraged in multi-stage attacks or insider threat scenarios. Organizations using affected Node.js versions in security-sensitive contexts should consider this vulnerability a risk to their file system integrity controls.

1. Monitor official Node.js channels for patches addressing CVE-2026-21716 and apply updates promptly once available. 2. Until patched, avoid using the promise-based FileHandle methods chmod() and chown() in environments where the Permission Model with restricted --allow-fs-write is enforced; prefer the callback-based fs.fchmod() and fs.fchown() methods which are correctly patched. 3. Implement strict code audits and static analysis to detect usage of vulnerable promise-based FileHandle methods in your codebase. 4. Employ runtime monitoring to detect unexpected changes to file permissions or ownership, especially on sensitive files or directories. 5. Limit local access to Node.js environments running with restricted permissions to trusted users and processes to reduce the risk of exploitation. 6. Consider additional sandboxing or containerization layers to isolate Node.js processes and limit the impact of potential privilege escalations. 7. Review and tighten file system permission policies and ownership assignments to minimize the attack surface. 8. Educate developers and security teams about the differences in permission enforcement between promise-based and callback-based APIs in Node.js to prevent inadvertent insecure coding practices.