[CLSA-2026:1783613814] Fix CVE(s): CVE-2026-48619, CVE-2026-48930, CVE-2026-48933
Type:
security
Severity:
Critical
Release date:
2026-07-09 16:17:14 UTC
Description:
* SECURITY UPDATE: HTTP/2 client ORIGIN-frame unbounded memory growth (CVE-2026-48619) - a malicious HTTP/2 server could send an unlimited number of ORIGIN frames to a node:http2 client; onOrigin() appended every origin to the session originSet in an unbounded loop -> Out-of-Memory / remote DoS - debian/patches/CVE-2026-48619.patch: cap the originSet at 128 entries (kMaxOriginSetSize, configurable via connect() maxOriginSetSize) and destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS once the cap is reached (functional hunks of upstream c79968e108; 23.x is EOL with no upstream release carrying it) - CVE-2026-48619 * SECURITY UPDATE: embedded-NUL hostname authority rebinding (CVE-2026-48930) - dns.lookup/dnsPromises.lookup/net.connect accepted hostnames with an embedded NUL byte; the C resolver truncates at the first NUL, so a JS-validated hostname could resolve/connect to a different authority - debian/patches/CVE-2026-48930.patch: add validateStringWithoutNullBytes in lib/internal/validators.js and apply it to the hostname/options.host arguments in lib/dns.js, lib/internal/dns/promises.js and lib/net.js (JS-only fix, functional hunks of upstream 7dafafa2; 23.x is EOL) - CVE-2026-48930 * SECURITY UPDATE: WebCrypto AES cipher output-length integer overflow (CVE-2026-48933) - AES_Cipher() computed the output buffer length as a signed int (in.size() + block size + tag), which overflows at ~2 GiB input and aborts the process (subtle.encrypt) -> DoS (CWE-190) - debian/patches/CVE-2026-48933.patch: add the TryGetIntCipherOutputLength guard in src/crypto/crypto_cipher.h and apply it to the AES_Cipher() length computation in src/crypto/crypto_aes.cc (adapted from upstream 98fbc89211 to the 23.11.1 in.size()/tag_len form; the absent crypto_chacha20_poly1305.cc hunk is omitted; 23.x is EOL) - CVE-2026-48933
Updated packages:
  • alt-nodejs23-docs_23.11.1-16_amd64.deb
    sha:fff0476fe3bde0da6c07ef06bb0db63f8d5f73ba
  • alt-nodejs23-nodejs_23.11.1-16_amd64.deb
    sha:24e9d048824e731f0a8e240d29f0789280c3becb
  • alt-nodejs23-nodejs-devel_23.11.1-16_amd64.deb
    sha:71ff17ef5af0fb96ef2ab3abae573f532c82dd7c
  • alt-nodejs23-npm_10.9.2-23.11.1.16_amd64.deb
    sha:26ae683d0b86abdd579164e0ba95283beda0fd27
  • alt-nodejs23-docs_23.11.1-16_arm64.deb
    sha:a15ed390881327c8db0312771ddc6ab9211afdcd
  • alt-nodejs23-nodejs_23.11.1-16_arm64.deb
    sha:25c4460c6e8b3a6833241f9ce094436a9dc2a321
  • alt-nodejs23-nodejs-devel_23.11.1-16_arm64.deb
    sha:4b7470632e67eaba89f6ace5800cec867ef69477
  • alt-nodejs23-npm_10.9.2-23.11.1.16_arm64.deb
    sha:9453b15d116c1936743fbf16ad2fbd7a5d48ff39
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.