[CLSA-2026:1779984259] Fix CVE(s): CVE-2026-21717

Type:

security

Severity:

Moderate

Release date:

2026-05-28 16:04:24 UTC

Description:

   * SECURITY UPDATE: HashDoS in V8 — consecutive numeric strings collide in
     the internal string table, letting attacker-controlled JSON.parse input
     degrade performance in a local PoC against V8 8.4.371.23
     - debian/patches/CVE-2026-21717.patch: scramble the 24-bit array-index
       value stored in a Name's hash_field via a 3-round xorshift-multiply
       with compile-time constants (no upstream V8 8.4 backport exists; this
       is an adapted reduced port — no rapidhash/HashSeed-view refactor)
     - CVE-2026-21717

Updated packages:

alt-nodejs14-docs_14.21.3-23_amd64.deb
sha:0a76c040ada4e3a5add6735ebac8d0afdb253ba6
alt-nodejs14-nodejs_14.21.3-23_amd64.deb
sha:663a90ac52aa229a74ecdf798b2b1b695b98087f
alt-nodejs14-nodejs-devel_14.21.3-23_amd64.deb
sha:bbdc8e45235949a51ba8c0ae4135fff8f134c8a6
alt-nodejs14-npm_6.14.18-14.21.3-23_amd64.deb
sha:edd8c75d2b14b1f82267af9007a80b09706b7220

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.