CVE-2026-21717

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions V8 versions 20.x through 25.x

Description A flaw exists in V8's string hashing mechanism where integer-like strings are hashed to their numeric value, leading to predictable hash collisions. An attacker can exploit this by crafting requests that cause numerous collisions within V8's internal string table, resulting in a significant performance degradation of the Node.js process. The issue is commonly triggered by endpoints that utilize JSON.parse() with attacker-controlled input, as this function automatically internalizes short strings into the affected hash table. The root cause is an unseeded hash V8 uses for integer-looking strings, which requires quick reversibility to maintain performance optimizations.

Recommendations Update to a version beyond 25.x.

Exploit

Fix

DoS

Improper Resource Release

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-328CWE-404

Related Identifiers

ALSA-2026:7350

ALSA-2026:7670

ALSA-2026:7675

BDU:2026-04839

BIT-NODE-2026-21717

BIT-NODE-MIN-2026-21717

CVE-2026-21717

MGASA-2026-0071

OESA-2026-1951

OESA-2026-1952

OESA-2026-1953

OESA-2026-1954

OPENSUSE-SU-2026:10504-1

OPENSUSE-SU-2026:20519-1

RHSA-2026:6402

RHSA-2026:6431

RHSA-2026:7350

RHSA-2026:7386

RHSA-2026:7387

RHSA-2026:7670

RHSA-2026:7675

SUSE-SU-2026:1299-1

SUSE-SU-2026:1363-1

SUSE-SU-2026:1371-1

SUSE-SU-2026:1478-1

SUSE-SU-2026:1509-1

SUSE-SU-2026:21181-1

Affected Products

Node.Js

Rocky Linux

CVE-2026-21717

Weakness Enumeration

Related Identifiers

Affected Products

References · 124