Release date:
2026-05-27 15:17:00 UTC
Description:
* SECURITY UPDATE: HashDoS in V8 — consecutive numeric strings collide in
the internal string table, letting attacker-controlled JSON.parse input
degrade performance ~440x in a local PoC against V8 12.9.202.28
- debian/patches/CVE-2026-21717.patch: scramble the 24-bit array-index
value stored in a Name's raw_hash_field via a 3-round xorshift-multiply
with compile-time constants (no upstream V8 12.9 backport exists; this
is an adapted reduced port — no rapidhash/HashSeed-view refactor)
- CVE-2026-21717
Updated packages:
-
alt-nodejs23-docs_23.11.1-14_amd64.deb
sha:b5915da6ecbea598b3ca19171d11f93cb7cf1e45
-
alt-nodejs23-nodejs_23.11.1-14_amd64.deb
sha:c129c49df9d05f701fcb9ceeb349cae4345ab89d
-
alt-nodejs23-nodejs-devel_23.11.1-14_amd64.deb
sha:ecc7b5a2936259be9ea6a17219edf86cdcbe1abf
-
alt-nodejs23-npm_10.9.2-23.11.1.14_amd64.deb
sha:a342ba0b4a8a7282805e7cb13cab5aff2ae9ebc1
-
alt-nodejs23-docs_23.11.1-14_arm64.deb
sha:6b0f1e60f58cb7294a580c68c86de4744488012f
-
alt-nodejs23-nodejs_23.11.1-14_arm64.deb
sha:37353bdfb034a673dc7f197f6a9d93ccb4f76117
-
alt-nodejs23-nodejs-devel_23.11.1-14_arm64.deb
sha:82ce49a5d90e8d206edde61756fd8323c9600e95
-
alt-nodejs23-npm_10.9.2-23.11.1.14_arm64.deb
sha:3d6da28dfea09d8a189f394c10f24a860f2f9c0d
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
