Release date:
2026-07-09 14:40:40 UTC
Description:
* SECURITY UPDATE: HTTP/2 client ORIGIN-frame unbounded memory growth
(CVE-2026-48619)
- a malicious HTTP/2 server could send an unlimited number of ORIGIN
frames to a node:http2 client; onOrigin() appended every origin to the
session originSet in an unbounded loop -> Out-of-Memory / remote DoS
- debian/patches/CVE-2026-48619.patch: cap the originSet at 128 entries
(kMaxOriginSetSize, configurable via connect() maxOriginSetSize) and
destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS once the cap is
reached (functional hunks of upstream c79968e108; 23.x is EOL with no
upstream release carrying it)
- CVE-2026-48619
* SECURITY UPDATE: embedded-NUL hostname authority rebinding (CVE-2026-48930)
- dns.lookup/dnsPromises.lookup/net.connect accepted hostnames with an
embedded NUL byte; the C resolver truncates at the first NUL, so a
JS-validated hostname could resolve/connect to a different authority
- debian/patches/CVE-2026-48930.patch: add validateStringWithoutNullBytes
in lib/internal/validators.js and apply it to the hostname/options.host
arguments in lib/dns.js, lib/internal/dns/promises.js and lib/net.js
(JS-only fix, functional hunks of upstream 7dafafa2; 23.x is EOL)
- CVE-2026-48930
* SECURITY UPDATE: WebCrypto AES cipher output-length integer overflow
(CVE-2026-48933)
- AES_Cipher() computed the output buffer length as a signed int
(in.size() + block size + tag), which overflows at ~2 GiB input and
aborts the process (subtle.encrypt) -> DoS (CWE-190)
- debian/patches/CVE-2026-48933.patch: add the TryGetIntCipherOutputLength
guard in src/crypto/crypto_cipher.h and apply it to the AES_Cipher()
length computation in src/crypto/crypto_aes.cc (adapted from upstream
98fbc89211 to the 23.11.1 in.size()/tag_len form; the absent
crypto_chacha20_poly1305.cc hunk is omitted; 23.x is EOL)
- CVE-2026-48933
Updated packages:
-
alt-nodejs23-docs_23.11.1-16_amd64.deb
sha:fff0476fe3bde0da6c07ef06bb0db63f8d5f73ba
-
alt-nodejs23-nodejs_23.11.1-16_amd64.deb
sha:71bd26088459bed1cd82534d6fb96fb3b11ed57b
-
alt-nodejs23-nodejs-devel_23.11.1-16_amd64.deb
sha:5e6fb5c7104998c7784ce00bac01271ceb4ca00b
-
alt-nodejs23-npm_10.9.2-23.11.1.16_amd64.deb
sha:26ae683d0b86abdd579164e0ba95283beda0fd27
-
alt-nodejs23-docs_23.11.1-16_arm64.deb
sha:a15ed390881327c8db0312771ddc6ab9211afdcd
-
alt-nodejs23-nodejs_23.11.1-16_arm64.deb
sha:91e98252bcb99b5c3a94eca711f7727601f6947a
-
alt-nodejs23-nodejs-devel_23.11.1-16_arm64.deb
sha:90e26436de97423d1b242860063950e5d2a57b8c
-
alt-nodejs23-npm_10.9.2-23.11.1.16_arm64.deb
sha:9453b15d116c1936743fbf16ad2fbd7a5d48ff39
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.