Description
A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Problem types
Product status
22.22.3 (semver)
24.16.0 (semver)
26.3.0 (semver)
References
access.redhat.com/security/cve/CVE-2026-48933
bugzilla.redhat.com/show_bug.cgi?id=2493331 (RHBZ#2493331)
security.access.redhat.com/...2/vex/2026/cve-2026-48933.json
access.redhat.com/errata/RHSA-2026:35842
access.redhat.com/errata/RHSA-2026:35841
access.redhat.com/errata/RHSA-2026:35892
access.redhat.com/errata/RHSA-2026:35891
access.redhat.com/errata/RHSA-2026:9455
access.redhat.com/errata/RHSA-2026:28727
access.redhat.com/errata/RHSA-2026:29012
access.redhat.com/errata/RHSA-2026:7378
access.redhat.com/errata/RHSA-2026:30172
nodejs.org/en/blog/vulnerability/june-2026-security-releases