CVE-2026-21717
ADVISORY - nistSummary
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.
The most common trigger is any endpoint that calls JSON.parse() on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.
This vulnerability affects 20.x, 22.x, 24.x, and 25.x.
Common Weakness Enumeration (CWE)
Use of Weak Hash
Use of Weak Hash
Docker
BSA-2026-21717
-
Docker
CVE-2026-21717
-
NIST
2.2
CVSS SCORE
5.9mediumAlpine
-
Debian
-
Ubuntu
-
CVSS SCORE
N/AmediumAlma
-
CVSS SCORE
N/AhighAlma
-
CVSS SCORE
N/AhighAmazon
-
CVSS SCORE
N/AhighAmazon
-
CVSS SCORE
N/AhighAmazon
-
CVSS SCORE
N/AhighBitnami
BIT-node-2026-21717
2.2
CVSS SCORE
5.9mediumBitnami
BIT-node-min-2026-21717
2.2
CVSS SCORE
5.9mediumRed Hat
2.2
CVSS SCORE
5.9mediumRocky
-
CVSS SCORE
N/AhighRocky
-
CVSS SCORE
N/AhighRocky
-
CVSS SCORE
N/AhighOracle
-
CVSS SCORE
N/AhighOracle
-
CVSS SCORE
N/AhighOracle
-
CVSS SCORE
N/AhighChainguard
CGA-qwf4-ccfm-7gmg
-
Photon
CVE-2026-21717
-
CVSS SCORE
5.9mediumminimos
MINI-4438-x946-whp3
-
minimos
MINI-4j2p-x6p7-jhpp
-
minimos
MINI-63qw-42q3-h82j
-
minimos
MINI-gpw8-8m9c-96hv
-
minimos
MINI-h4q5-969g-r925
-
minimos
MINI-q944-6q2x-g3hx
-
minimos
MINI-qpqh-r3m7-wmgc
-