[CLSA-2026:1779982041] Fix CVE(s): CVE-2026-21717

Type:

security

Severity:

Moderate

Release date:

2026-05-28 15:27:27 UTC

Description:

   * SECURITY UPDATE: HashDoS in V8 — consecutive numeric strings collide in
     the internal string table, letting attacker-controlled JSON.parse input
     degrade performance in a local PoC against V8 8.4.371.23
     - debian/patches/CVE-2026-21717.patch: scramble the 24-bit array-index
       value stored in a Name's hash_field via a 3-round xorshift-multiply
       with compile-time constants (no upstream V8 8.4 backport exists; this
       is an adapted reduced port — no rapidhash/HashSeed-view refactor)
     - CVE-2026-21717

Updated packages:

alt-nodejs14-docs_14.21.3-23_amd64.deb
sha:5ae508b5dff949f7519de1fb29ae113d8cd6fe8f
alt-nodejs14-nodejs_14.21.3-23_amd64.deb
sha:ca87e0284dbe123cd6129341c7febf32837c958a
alt-nodejs14-nodejs-devel_14.21.3-23_amd64.deb
sha:9598d9d12a05b28e35102129edae052c2342407b
alt-nodejs14-npm_6.14.18-14.21.3-23_amd64.deb
sha:cbf200bf9f1ac7c49f16fa4266300755f0f64aa1

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.