{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48933", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-05-26T15:00:06.427Z", "datePublished": "2026-06-26T01:14:36.823Z", "dateUpdated": "2026-06-26T15:06:12.149Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "22.22.3", "status": "affected", "lessThanOrEqual": "22.22.3", "versionType": "semver"}, {"version": "24.16.0", "status": "affected", "lessThanOrEqual": "24.16.0", "versionType": "semver"}, {"version": "26.3.0", "status": "affected", "lessThanOrEqual": "26.3.0", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-06-26T01:14:36.823Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-26T15:05:58.547904Z", "id": "CVE-2026-48933", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T15:06:12.149Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-48933", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-26T15:05:58.547904Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T15:06:07.181Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "22.22.3", "versionType": "semver", "lessThanOrEqual": "22.22.3"}, {"status": "affected", "version": "24.16.0", "versionType": "semver", "lessThanOrEqual": "24.16.0"}, {"status": "affected", "version": "26.3.0", "versionType": "semver", "lessThanOrEqual": "26.3.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"}], "descriptions": [{"lang": "en", "value": "A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-06-26T01:14:36.823Z"}}}, "cveMetadata": {"cveId": "CVE-2026-48933", "state": "PUBLISHED", "dateUpdated": "2026-06-26T15:06:12.149Z", "dateReserved": "2026-05-26T15:00:06.427Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-06-26T01:14:36.823Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{}

{"affected_release": [{"advisory": "RHSA-2026:29012", "cpe": "cpe:/a:redhat:hummingbird:1", "package": "nodejs24-main-24.18.0-0.1.hum1", "product_name": "Red Hat Hardened Images", "release_date": "2026-06-24T00:00:00Z"}, {"advisory": "RHSA-2026:7378", "cpe": "cpe:/a:redhat:hummingbird:1", "package": "nodejs25-main-25.9.0-1.1.hum1", "product_name": "Red Hat Hardened Images", "release_date": "2026-04-10T00:00:00Z"}, {"advisory": "RHSA-2026:9455", "cpe": "cpe:/a:redhat:hummingbird:1", "package": "nodejs20-main-20.20.2-1.hum1", "product_name": "Red Hat Hardened Images", "release_date": "2026-04-21T00:00:00Z"}], "bugzilla": {"description": "nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()", "id": "2493331", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493331"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["A flaw was found in the Node.js WebCrypto implementation. A remote attacker could exploit this vulnerability by providing an input to the `subtle.encrypt()` function that is a multiple of 2 gigabytes (GiB). This could lead to a denial of service (DoS) by crashing the Node.js process."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-48933", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "nodejs22", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "nodejs24", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "nodejs22", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "nodejs26", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-06-26T01:14:36Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-48933\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-48933\nhttps://nodejs.org/en/blog/vulnerability/june-2026-security-releases"], "statement": "This is an Important denial of service vulnerability in Node.js WebCrypto, as a remote attacker can crash the Node.js process by providing a specially crafted large input to the `subtle.encrypt()` function. This could lead to service unavailability in Red Hat environments where Node.js applications process untrusted data with WebCrypto.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[22.22.3,22.22.3]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[24.16.0,24.16.0]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[26.3.0,26.3.0]"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "node", "source": "cna", "vendor": "nodejs"}, "product": "nodejs", "vendor": "nodejs"}], "created": "2026-06-26T03:30:07.168536+00:00", "updated": "2026-06-27T02:00:10.698108+00:00", "vendors": ["nodejs", "nodejs$PRODUCT$nodejs"]}