CVE-2026-48933
HighCVSS 7.5Exploitation Probability (EPSS)
High risk82th percentile — higher than 82% of all known CVEs
Summary
A flaw in Node.js WebCrypto implementation crashes the process when the input of `subtle.encrypt()` is a multiple of 2 GiB. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
Risk Assessment
An attacker can intentionally provide large input data for encryption, causing the Node.js process to crash and disrupting application availability (DoS).
Recommendation
Immediately update Node.js to the latest patched version for your release line (22, 24, or 26).
Original NVD description (English source)
A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

