PatchSiren cyber security CVE debrief
CVE-2026-48933 Nodejs CVE debrief
A flaw was found in the Node.js WebCrypto implementation. The vulnerability occurs when the input to `subtle.encrypt()` is a multiple of 2GiB, causing the process to crash. This issue affects all supported release lines of Node.js, specifically Node.js 22, Node.js 24, and Node.js 26. The Common Vulnerabilities and Exposures (CVE) score for this vulnerability is 7.5, with a severity rating of HIGH. The CVE was published on June 26, 2026, and modified on June 30, 2026.
- Vendor
- Nodejs
- Product
- Node.js
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-26
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-06-26
- Advisory updated
- 2026-06-30
Who should care
Organizations and developers using Node.js 22, Node.js 24, or Node.js 26 should prioritize patching this vulnerability to prevent potential crashes and denial-of-service attacks. Given the high severity and potential for exploitation, immediate attention is advised for environments where Node.js is used with WebCrypto functionality.
Technical summary
The vulnerability is triggered when the input to the `subtle.encrypt()` function in Node.js's WebCrypto implementation is a multiple of 2GiB. This causes the process to crash, potentially leading to denial-of-service attacks. The issue is present across all supported versions of Node.js, namely Node.js 22, Node.js 24, and Node.js 26. The CVSS score of 7.5 with HIGH severity indicates a significant risk. The vulnerability is categorized under CWE-190 (Integer Overflow) and CWE-770 (Allocation of Resources Without Limits or Throttling).
Defensive priority
High priority should be given to applying patches for this vulnerability due to its potential for denial-of-service attacks and its high CVSS severity score. Immediate action is recommended for all environments using affected Node.js versions.
Recommended defensive actions
- Apply the patches provided by Node.js for the affected versions (Node.js 22, Node.js 24, Node.js 26) as soon as possible.
- Review and update WebCrypto implementation to handle edge cases and large inputs properly.
- Monitor Node.js applications for unusual crashes or behavior that could indicate exploitation attempts.
- Implement compensating controls such as rate limiting and monitoring for potential denial-of-service attacks.
- Ensure inventory of systems using Node.js and prioritize patching based on risk and exposure.
Evidence notes
The CVE-2026-48933 vulnerability details were obtained from the official CVE record and the National Vulnerability Database (NVD). The vulnerability affects multiple versions of Node.js and has a high severity score. Patches and advisories have been provided by Node.js and affected vendors like Red Hat.
Official resources
-
CVE-2026-48933 CVE record
CVE.org
-
CVE-2026-48933 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.