CVE-2026-48933
published 2026-06-26CVE-2026-48933: A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.56%
72.1th percentile
A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nodejs | node | 22.22.3 – 22.22.3 | — |
| nodejs | node | 24.16.0 – 24.16.0 | — |
| nodejs | node | 26.3.0 – 26.3.0 | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | nodejs | — | — |
| nodejs_22 | nodejs | — | — |
| nodejs_24 | nodejs | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Node.js up to 22.22.3/24.16.0/26.3.0 subtle.encrypt integer overflow (Nessus ID 323047)
vuldb·2026-06-27·CVSS 7.5
CVE-2026-48933 [HIGH] Node.js up to 22.22.3/24.16.0/26.3.0 subtle.encrypt integer overflow (Nessus ID 323047)
A vulnerability was found in Node.js up to 22.22.3/24.16.0/26.3.0. It has been rated as problematic. This affects the function subtle.encrypt. This manipulation causes integer overflow.
This vulnerability is handled as CVE-2026-48933. The attack can be initiated remotely. There is not any exploit available.
GHSA
A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.
ghsa_unreviewed·2026-06-26
CVE-2026-48933 [HIGH] CWE-190 A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.
A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Red Hat
nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()
vendor_redhat·2026-06-26·CVSS 7.5
CVE-2026-48933 [HIGH] CWE-770 nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()
nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()
A flaw was found in the Node.js WebCrypto implementation. A remote attacker could exploit this vulnerability by providing an input to the `subtle.encrypt()` function that is a multiple of 2 gigabytes (GiB). This could lead to a denial of service (DoS) by crashing the Node.js process.
Statement: This is an Important denial of service vulnerability in Node.js WebCrypto, as a remote attacker can crash the Node.js process by providing a specially crafted large input to the `subtle.encrypt()` function. This could lead to service unavailability in Red Hat environments where Node.js applications process untrusted data with WebCrypto.
Mitigation: Mitigation for this issue is either not available or the currently av
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48933 nodejs22: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() [fedora-all]
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-48933 [HIGH] CVE-2026-48933 nodejs22: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() [fedora-all]
CVE-2026-48933 nodejs22: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48933 nodejs24: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() [fedora-all]
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-48933 [HIGH] CVE-2026-48933 nodejs24: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() [fedora-all]
CVE-2026-48933 nodejs24: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48933 nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-48933 [HIGH] CVE-2026-48933 nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()
CVE-2026-48933 nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()
A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Bugzilla
CVE-2026-48933 nodejs20: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() [fedora-all]
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-48933 [HIGH] CVE-2026-48933 nodejs20: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() [fedora-all]
CVE-2026-48933 nodejs20: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
https://nodejs.org/en/blog/vulnerability/june-2026-security-releaseshttps://access.redhat.com/errata/RHSA-2026:28727https://access.redhat.com/errata/RHSA-2026:29012https://access.redhat.com/errata/RHSA-2026:30172https://access.redhat.com/errata/RHSA-2026:7378https://access.redhat.com/errata/RHSA-2026:9455https://access.redhat.com/security/cve/CVE-2026-48933https://bugzilla.redhat.com/show_bug.cgi?id=2493331https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48933.json
2026-06-26
Published