CVE-2026-48933

Published Jun 26, 2026

Last updated 4 days ago

Overview

Description
A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Source
support@hackerone.com
NVD status
Modified
Products
node.js

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

CVSS 3.0

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

support@hackerone.com
CWE-190
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
CWE-770

Social media

Hype score
Not currently trending
  1. ⚠️ Vulnerabilidades en productos Node.js ❗ CVE-2026-48933 ❗ CVE-2026-48618 ➡️ Más info: https://t.co/T7ozh8Eldm https://t.co/HuO8PJ3WnA

    @CERTpy

    2 Jul 2026

    206 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Node.js、2026年6月のセキュリティリリースで12件の脆弱性を修正(CVE-2026-48933,CVE-2026-48618)他 https://t.co/9aJi3HQB4i #セキュリティ対策Lab #security #securitynews

    @securityLab_jp

    22 Jun 2026

    90 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 Node.js patched all active LTS lines on June 18. CVE-2026-48618: IPv6 dots bypass TLS wildcard certs. CVE-2026-48933: WebCrypto AES crash, remote process abort. Patch to 22.23.0 / 24.17.0 / 26.3.1. How long before your team ships this?

    @dartilesm

    21 Jun 2026

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Node.js shipped 22.23.0, 24.17.0 and 26.3.1 on June 18, fixing 13 CVEs. Two are rated HIGH: CVE-2026-48933, a WebCrypto AES integer overflow that aborts the process, and CVE-2026-48618, a TLS wildcard-depth check fooled by a Unicode dot separator. Which release line do you run?

    @canartuc

    19 Jun 2026

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Node.jsが複数の深刻な脆弱性を修正。WebCrypto AESの整数オーバーフローCVE-2026-48933とTLSのホスト名取扱におけるUnicode中点の取扱不備CVE-2026-48618。その他脆弱性複数も修正されている。 https://t.co/mt8onCMwN7

    @__kokumoto

    18 Jun 2026

    412 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  6. Protect your servers with the latest Node.js security updates. Patch critical vulnerabilities like CVE-2026-48933 to secure your infrastructure today. #NodeJS #SecurityUpdates #Cybersecurity #CVE #WebSecurity https://t.co/NyM9rB2X29 https://t.co/gAz8IUJpzm

    @the_yellow_fall

    18 Jun 2026

    345 Impressions

    1 Retweet

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

Configurations