{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-48933","assignerOrgId":"36234546-b8fa-4601-9d6f-f4e334aa8ea1","state":"PUBLISHED","assignerShortName":"hackerone","dateReserved":"2026-05-26T15:00:06.427Z","datePublished":"2026-06-26T01:14:36.823Z","dateUpdated":"2026-07-07T12:05:08.941Z"},"containers":{"cna":{"descriptions":[{"lang":"en","value":"A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."}],"affected":[{"defaultStatus":"unaffected","vendor":"nodejs","product":"node","versions":[{"version":"22.22.3","status":"affected","lessThanOrEqual":"22.22.3","versionType":"semver"},{"version":"24.16.0","status":"affected","lessThanOrEqual":"24.16.0","versionType":"semver"},{"version":"26.3.0","status":"affected","lessThanOrEqual":"26.3.0","versionType":"semver"}]}],"references":[{"url":"https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"}],"metrics":[{"cvssV3_0":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","cweId":"CWE-190","description":"CWE-190 Integer Overflow"}]}],"providerMetadata":{"orgId":"36234546-b8fa-4601-9d6f-f4e334aa8ea1","shortName":"hackerone","dateUpdated":"2026-06-26T01:14:36.823Z"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-26T15:05:58.547904Z","id":"CVE-2026-48933","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-26T15:06:12.149Z"}},{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:hummingbird:1"],"defaultStatus":"affected","product":"Red Hat Hardened Images","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"}],"datePublic":"2026-06-26T01:14:36.823Z","descriptions":[{"lang":"en","value":"A flaw was found in the Node.js WebCrypto implementation. A remote attacker could exploit this vulnerability by providing an input to the `subtle.encrypt()` function that is a multiple of 2 gigabytes (GiB). This could lead to a denial of service (DoS) by crashing the Node.js process."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-770","description":"Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-48933"},{"name":"RHBZ#2493331","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2493331"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48933.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:35842"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:35841"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:35892"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:35891"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:9455"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:28727"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:29012"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7378"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:30172"}],"solutions":[{"lang":"en","value":"RHSA-2026:35842: Red Hat Enterprise Linux AppStream (v. 10)"},{"lang":"en","value":"RHSA-2026:35841: Red Hat Enterprise Linux AppStream (v. 10)"},{"lang":"en","value":"RHSA-2026:35892: Red Hat Enterprise Linux AppStream (v. 9)"},{"lang":"en","value":"RHSA-2026:35891: Red Hat Enterprise Linux AppStream (v. 9)"},{"lang":"en","value":"RHSA-2026:9455: Red Hat Hardened Images"},{"lang":"en","value":"RHSA-2026:28727: Red Hat Hardened Images"},{"lang":"en","value":"RHSA-2026:29012: Red Hat Hardened Images"},{"lang":"en","value":"RHSA-2026:7378: Red Hat Hardened Images"},{"lang":"en","value":"RHSA-2026:30172: Red Hat Hardened Images"}],"timeline":[{"lang":"en","time":"2026-06-26T02:01:39.107Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-26T01:14:36.823Z","value":"Made public."}],"title":"nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-07T12:05:08.941Z"}}]}}