[CLSA-2026:1783608020] Fix CVE(s): CVE-2026-48619, CVE-2026-48930, CVE-2026-48933
Type:
security
Severity:
Critical
Release date:
2026-07-09 14:40:40 UTC
Description:
* SECURITY UPDATE: HTTP/2 client ORIGIN-frame unbounded memory growth (CVE-2026-48619) - a malicious HTTP/2 server could send an unlimited number of ORIGIN frames to a node:http2 client; onOrigin() appended every origin to the session originSet in an unbounded loop -> Out-of-Memory / remote DoS - debian/patches/CVE-2026-48619.patch: cap the originSet at 128 entries (kMaxOriginSetSize, configurable via connect() maxOriginSetSize) and destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS once the cap is reached (functional hunks of upstream c79968e108; 23.x is EOL with no upstream release carrying it) - CVE-2026-48619 * SECURITY UPDATE: embedded-NUL hostname authority rebinding (CVE-2026-48930) - dns.lookup/dnsPromises.lookup/net.connect accepted hostnames with an embedded NUL byte; the C resolver truncates at the first NUL, so a JS-validated hostname could resolve/connect to a different authority - debian/patches/CVE-2026-48930.patch: add validateStringWithoutNullBytes in lib/internal/validators.js and apply it to the hostname/options.host arguments in lib/dns.js, lib/internal/dns/promises.js and lib/net.js (JS-only fix, functional hunks of upstream 7dafafa2; 23.x is EOL) - CVE-2026-48930 * SECURITY UPDATE: WebCrypto AES cipher output-length integer overflow (CVE-2026-48933) - AES_Cipher() computed the output buffer length as a signed int (in.size() + block size + tag), which overflows at ~2 GiB input and aborts the process (subtle.encrypt) -> DoS (CWE-190) - debian/patches/CVE-2026-48933.patch: add the TryGetIntCipherOutputLength guard in src/crypto/crypto_cipher.h and apply it to the AES_Cipher() length computation in src/crypto/crypto_aes.cc (adapted from upstream 98fbc89211 to the 23.11.1 in.size()/tag_len form; the absent crypto_chacha20_poly1305.cc hunk is omitted; 23.x is EOL) - CVE-2026-48933
Updated packages:
  • alt-nodejs23-docs_23.11.1-16_amd64.deb
    sha:fff0476fe3bde0da6c07ef06bb0db63f8d5f73ba
  • alt-nodejs23-nodejs_23.11.1-16_amd64.deb
    sha:71bd26088459bed1cd82534d6fb96fb3b11ed57b
  • alt-nodejs23-nodejs-devel_23.11.1-16_amd64.deb
    sha:5e6fb5c7104998c7784ce00bac01271ceb4ca00b
  • alt-nodejs23-npm_10.9.2-23.11.1.16_amd64.deb
    sha:26ae683d0b86abdd579164e0ba95283beda0fd27
  • alt-nodejs23-docs_23.11.1-16_arm64.deb
    sha:a15ed390881327c8db0312771ddc6ab9211afdcd
  • alt-nodejs23-nodejs_23.11.1-16_arm64.deb
    sha:91e98252bcb99b5c3a94eca711f7727601f6947a
  • alt-nodejs23-nodejs-devel_23.11.1-16_arm64.deb
    sha:90e26436de97423d1b242860063950e5d2a57b8c
  • alt-nodejs23-npm_10.9.2-23.11.1.16_arm64.deb
    sha:9453b15d116c1936743fbf16ad2fbd7a5d48ff39
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.