[CLSA-2026:1783603072] Fix CVE(s): CVE-2026-48619, CVE-2026-48930, CVE-2026-48933
Type:
security
Severity:
Critical
Release date:
2026-07-09 17:00:57 UTC
Description:
* SECURITY UPDATE: http2 client ORIGIN-frame unbounded memory growth - debian/patches/CVE-2026-48619.patch: cap the http2 client originSet size (default 128, configurable via the connect() maxOriginSetSize option) and destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS once exceeded, so a malicious server can no longer grow originSet without bound (no upstream Node.js 18 fix exists — 18.x went EOL before disclosure; adapted from c79968e108, first in v22.23.0) - CVE-2026-48619 * SECURITY UPDATE: embedded-NUL hostnames cause silent authority rebinding - debian/patches/CVE-2026-48930.patch: add validateStringWithoutNullBytes and reject hostnames/hosts containing an embedded NUL byte in dns.lookup(), dnsPromises.lookup() and net.connect()/createConnection(), preventing c-string truncation in the resolver bindings from resolving a different authority than the one validated (adapted from 7dafafa2, first in v22.23.0) - CVE-2026-48930 * SECURITY UPDATE: WebCrypto cipher output-length signed integer overflow - debian/patches/CVE-2026-48933.patch: guard the WebCrypto AES output length with TryGetIntCipherOutputLength so inputs near 2 GiB fail cleanly instead of overflowing the signed int buffer length and aborting the process (adapted from 98fbc89211, first in v22.23.0) - CVE-2026-48933
Updated packages:
  • alt-nodejs18-docs_18.20.8-14_amd64.deb
    sha:86bee37c60a8d7aacc0740dee601fc7d2f5203cc
  • alt-nodejs18-nodejs_18.20.8-14_amd64.deb
    sha:529e77d03cde21411023835eb588702265ec76eb
  • alt-nodejs18-nodejs-devel_18.20.8-14_amd64.deb
    sha:97bd8298785270e2f00b567ad52dc27a4cca8445
  • alt-nodejs18-npm_10.8.2-18.20.8.14_amd64.deb
    sha:b4175a101a42fb0538449fc35923f3af51271dd1
  • alt-nodejs18-docs_18.20.8-14_arm64.deb
    sha:94895ffe6c6b52e6bf828d3033dd8f7f036650b1
  • alt-nodejs18-nodejs_18.20.8-14_arm64.deb
    sha:d09c5c810d6385c13e3dd5891ed19d07fb8aa8b5
  • alt-nodejs18-nodejs-devel_18.20.8-14_arm64.deb
    sha:a6e04793cc7da68446749217c49204fe6b47ddbb
  • alt-nodejs18-npm_10.8.2-18.20.8.14_arm64.deb
    sha:8b4f6bd799ee3aafdbb858e06757393f6bf91cc7
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.