[CLSA-2026:1779982595] Fix CVE(s): CVE-2026-21717

Type:

security

Severity:

Moderate

Release date:

2026-05-28 15:36:41 UTC

Description:

   * SECURITY UPDATE: HashDoS in V8 — consecutive numeric strings collide in
     the internal string table, letting attacker-controlled JSON.parse input
     degrade performance in a local PoC against V8 8.4.371.23
     - debian/patches/CVE-2026-21717.patch: scramble the 24-bit array-index
       value stored in a Name's hash_field via a 3-round xorshift-multiply
       with compile-time constants (no upstream V8 8.4 backport exists; this
       is an adapted reduced port — no rapidhash/HashSeed-view refactor)
     - CVE-2026-21717

Updated packages:

alt-nodejs14-docs_14.21.3-23_amd64.deb
sha:a1eb7669306315fe3e2b3dc690da487a10ea9189
alt-nodejs14-nodejs_14.21.3-23_amd64.deb
sha:86bafd5925ad286c5b1b2fcdc44d27df94be912e
alt-nodejs14-nodejs-devel_14.21.3-23_amd64.deb
sha:6816d5cb83437905778c47c10cb9a05304cc3e04
alt-nodejs14-npm_6.14.18-14.21.3-23_amd64.deb
sha:65991b15be7d3b5598ca14d46d44bda020650c2d

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.