Release date:
2026-07-09 09:36:11 UTC
Description:
- CVE-2026-48619: cap the HTTP/2 client originSet at 128 entries so a
malicious server can no longer drive unbounded memory growth via repeated
ORIGIN frames; the session is destroyed with ERR_HTTP2_TOO_MANY_ORIGINS
once the cap is exceeded (backport of nodejs/node c79968e108)
- CVE-2026-48930: reject dns.lookup()/dnsPromises.lookup()/net.connect()
hostnames that contain an embedded NUL byte, preventing silent authority
rebinding caused by C-string truncation in the resolver bindings; adds
validateStringWithoutNullBytes (backport of nodejs/node 7dafafa2)
- CVE-2026-48933: guard the legacy CipherBase::Update() output-length
computation against signed-int overflow (len + block_size > INT_MAX),
turning ~2 GiB one-shot cipher inputs into a clean failure instead of an
out-of-bounds write; the legacy analog of the WebCrypto fix in
nodejs/node 98fbc89211 (Node 12 has no WebCrypto)
Updated packages:
-
alt-nodejs12-nodejs-12.22.12-22.el7.x86_64.rpm
sha:a237a272cf1d8ec71a9982797a080bc91af10c23df8273f4259152741ef45352
-
alt-nodejs12-nodejs-devel-12.22.12-22.el7.x86_64.rpm
sha:ee2102c886670e1f773c5e2ccc962e1bae054b4dddeb5ac67a3dd06e9cd6c97f
-
alt-nodejs12-nodejs-docs-12.22.12-22.el7.noarch.rpm
sha:3dd6020e29069e7f87719e836cb330324b38f8d0ded7640c4b7b68e5d98df987
-
alt-nodejs12-npm-6.14.16-12.22.12.22.el7.x86_64.rpm
sha:4d4acdc571e35058893b1d27e9f6e93aae8050d311721361b12aaa86d54dccf4
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.