[CLSA-2026:1779983765] Fix CVE(s): CVE-2026-21717

Type:

security

Severity:

Moderate

Release date:

2026-05-28 15:56:10 UTC

Description:

   * SECURITY UPDATE: HashDoS in V8 — consecutive numeric strings collide in
     the internal string table, letting attacker-controlled JSON.parse input
     degrade performance in a local PoC against V8 8.4.371.23
     - debian/patches/CVE-2026-21717.patch: scramble the 24-bit array-index
       value stored in a Name's hash_field via a 3-round xorshift-multiply
       with compile-time constants (no upstream V8 8.4 backport exists; this
       is an adapted reduced port — no rapidhash/HashSeed-view refactor)
     - CVE-2026-21717

Updated packages:

alt-nodejs14-docs_14.21.3-23_amd64.deb
sha:0a76c040ada4e3a5add6735ebac8d0afdb253ba6
alt-nodejs14-nodejs_14.21.3-23_amd64.deb
sha:1c63dab5137b07f513d58b6bb34bf85f9aab237b
alt-nodejs14-nodejs-devel_14.21.3-23_amd64.deb
sha:97817833de6560829d0719deb116ec9ef157d992
alt-nodejs14-npm_6.14.18-14.21.3-23_amd64.deb
sha:edd8c75d2b14b1f82267af9007a80b09706b7220

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.