Same page merging reportedly uses a hash to evaluate if a page is the same.
While I’m unclear on what hash is used and there is some mention of SHA-1 on various things written about it, it is possible that a timing attack could be used if a colliding hash exists, but the data it self varies in the last portion of the page. A keyed hash, with a randomly chosen key at the time of evaluation, could be used. There would be no need for HMAC because the length of the data is fixed (although length extension attacks appear to be a protocol issue). It is also possible that the hash evaluation is vulnerable to a timing attack, which can be a separate issue.
