Release date:
2026-07-09 14:06:06 UTC
Description:
- CVE-2026-48619: http2 client OOM via unbounded ORIGIN frames. Backport
upstream c79968e108 (first in v22.23.0): cap the client-side originSet
(default 128, configurable via options.maxOriginSetSize on connect) and
destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS once exceeded.
Node 16 is EOL, no upstream 16.x fix; vulnerable onOrigin() loop present.
- CVE-2026-48930: TLS/DNS embedded-NUL hostname authority rebinding.
Backport upstream 7dafafa242 (first in v22.23.0): add
validateStringWithoutNullBytes() and reject embedded NUL bytes in the
hostname/options.host arguments of dns.lookup, dnsPromises.lookup and
net.connect before they reach the NUL-terminated C resolver.
- CVE-2026-48933: WebCrypto AES cipher output-length integer overflow.
Backport upstream 98fbc89211 (first in v22.23.0): add
TryGetIntCipherOutputLength() guard in crypto_cipher.h and use it in
AES_Cipher() so an input length near 2 GiB fails cleanly instead of
overflowing the signed int buffer length and aborting the process.
Updated packages:
-
alt-nodejs16-nodejs-16.20.2-23.el8.x86_64.rpm
sha:b2bd479e9ad7ac443454dca98f0d97531f568067c9461f6fd59e8dc1eb328473
-
alt-nodejs16-nodejs-devel-16.20.2-23.el8.x86_64.rpm
sha:b7c4991b02ed6700b4085e5c1413639c33d44a64437da38c0d7f90d175206414
-
alt-nodejs16-nodejs-docs-16.20.2-23.el8.noarch.rpm
sha:91cca784d6c7309fd1115aa122f96109f1f06000c6c98786b08acdb037bbecff
-
alt-nodejs16-npm-8.19.4-16.20.2.23.el8.x86_64.rpm
sha:aafc9fe2421c678c5d54dd7c179f59a8d9f10139942ea91a5161b0ffa7a4c5c2
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.