Release date:
2026-07-09 15:33:02 UTC
Description:
- CVE-2026-48930: dns,net: reject hostnames with embedded NUL bytes to prevent
silent authority rebinding via C-string truncation in the resolver bindings
(backport of nodejs/node@7dafafa2 adapted to 14.21.3: validateStringWithoutNullBytes)
- CVE-2026-48619: http2: cap the client-side originSet size (default 128) so a
malicious server can no longer cause unbounded memory growth via ORIGIN frames
(backport of nodejs/node@c79968e1)
- CVE-2026-48933: crypto: guard the cipher output-length computation against
signed-int overflow in the legacy CipherBase::Update path in src/node_crypto.cc
(Node 14 has no WebCrypto; adapted INT_MAX guard from nodejs/node@98fbc892)
Updated packages:
-
alt-nodejs14-nodejs-14.21.3-24.el8.x86_64.rpm
sha:84cd43aba1b9c18fa9543fe3c9cae7722d9bbe198532732a5c4030dcb873f307
-
alt-nodejs14-nodejs-devel-14.21.3-24.el8.x86_64.rpm
sha:f50b579f25baea2a84cc294cd46c61e3631a028bd509197dc72aa631e6459fbb
-
alt-nodejs14-nodejs-docs-14.21.3-24.el8.noarch.rpm
sha:e5148f3cc5a9b098e5df379ba4eeceb1deb89704ba2a7cdb3a40bd37f7ee2471
-
alt-nodejs14-npm-6.14.18-14.21.3.24.el8.x86_64.rpm
sha:0512fd14f7f9baf60026855dbda3914131071dd57d95ca1b9336196f6d94be5a
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.