[CLSA-2026:1779983045] Fix CVE(s): CVE-2026-21717

Type:

security

Severity:

Moderate

Release date:

2026-05-28 15:44:09 UTC

Description:

   * SECURITY UPDATE: HashDoS in V8 — consecutive numeric strings collide in
     the internal string table, letting attacker-controlled JSON.parse input
     degrade performance in a local PoC against V8 8.4.371.23
     - debian/patches/CVE-2026-21717.patch: scramble the 24-bit array-index
       value stored in a Name's hash_field via a 3-round xorshift-multiply
       with compile-time constants (no upstream V8 8.4 backport exists; this
       is an adapted reduced port — no rapidhash/HashSeed-view refactor)
     - CVE-2026-21717

Updated packages:

alt-nodejs14-docs_14.21.3-23_amd64.deb
sha:12d9bac5bdcd12ced3368e037141c1f34be88b8a
alt-nodejs14-nodejs_14.21.3-23_amd64.deb
sha:ee2c461145732e4c192b67a6e713b24e78978ca8
alt-nodejs14-nodejs-devel_14.21.3-23_amd64.deb
sha:6e6be7ff8337a088d1c2e4ef6f84da83f3f65497
alt-nodejs14-npm_6.14.18-14.21.3-23_amd64.deb
sha:ade3764f4623acc45d5cd4e9919350905583c053

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.