[CLSA-2026:1780057363] Fix CVE(s): CVE-2026-21717

Type:

security

Severity:

Moderate

Release date:

2026-05-29 12:22:49 UTC

Description:

   * SECURITY UPDATE: HashDoS in V8 — consecutive numeric strings collide in
     the internal string table, letting attacker-controlled JSON.parse input
     degrade performance in a local PoC against V8 9.4.146.26
     - debian/patches/CVE-2026-21717.patch: scramble the 24-bit array-index
       value stored in a Name's hash_field via a 3-round xorshift-multiply
       with compile-time constants (no upstream Node.js 16 fix exists — 16.x
       went EOL before disclosure; this is an adapted reduced port, no
       rapidhash / HashSeed-view refactor)
     - CVE-2026-21717

Updated packages:

alt-nodejs16-docs_16.20.2-20_amd64.deb
sha:d03b3fba4dec10eafb481d6dfe86adb18edf14d8
alt-nodejs16-nodejs_16.20.2-20_amd64.deb
sha:41a6f07cc77434480879925a8f868f89beee742b
alt-nodejs16-nodejs-devel_16.20.2-20_amd64.deb
sha:a091b4b0af073b51abdbbbc6a39df9e1565543ea
alt-nodejs16-npm_8.19.4-16.20.2-20_amd64.deb
sha:0db58845b112592d6b59c3c5273d3b42cb77e298

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.