PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48933 Nodejs CVE debrief

A flaw was found in the Node.js WebCrypto implementation. The vulnerability occurs when the input to `subtle.encrypt()` is a multiple of 2GiB, causing the process to crash. This issue affects all supported release lines of Node.js, specifically Node.js 22, Node.js 24, and Node.js 26. The Common Vulnerabilities and Exposures (CVE) score for this vulnerability is 7.5, with a severity rating of HIGH. The CVE was published on June 26, 2026, and modified on June 30, 2026.

Vendor
Nodejs
Product
Node.js
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-26
Original CVE updated
2026-06-30
Advisory published
2026-06-26
Advisory updated
2026-06-30

Who should care

Organizations and developers using Node.js 22, Node.js 24, or Node.js 26 should prioritize patching this vulnerability to prevent potential crashes and denial-of-service attacks. Given the high severity and potential for exploitation, immediate attention is advised for environments where Node.js is used with WebCrypto functionality.

Technical summary

The vulnerability is triggered when the input to the `subtle.encrypt()` function in Node.js's WebCrypto implementation is a multiple of 2GiB. This causes the process to crash, potentially leading to denial-of-service attacks. The issue is present across all supported versions of Node.js, namely Node.js 22, Node.js 24, and Node.js 26. The CVSS score of 7.5 with HIGH severity indicates a significant risk. The vulnerability is categorized under CWE-190 (Integer Overflow) and CWE-770 (Allocation of Resources Without Limits or Throttling).

Defensive priority

High priority should be given to applying patches for this vulnerability due to its potential for denial-of-service attacks and its high CVSS severity score. Immediate action is recommended for all environments using affected Node.js versions.

Recommended defensive actions

  • Apply the patches provided by Node.js for the affected versions (Node.js 22, Node.js 24, Node.js 26) as soon as possible.
  • Review and update WebCrypto implementation to handle edge cases and large inputs properly.
  • Monitor Node.js applications for unusual crashes or behavior that could indicate exploitation attempts.
  • Implement compensating controls such as rate limiting and monitoring for potential denial-of-service attacks.
  • Ensure inventory of systems using Node.js and prioritize patching based on risk and exposure.

Evidence notes

The CVE-2026-48933 vulnerability details were obtained from the official CVE record and the National Vulnerability Database (NVD). The vulnerability affects multiple versions of Node.js and has a high severity score. Patches and advisories have been provided by Node.js and affected vendors like Red Hat.

Official resources

This article is AI-assisted and based on the supplied source corpus.