SB2026062248 - Multiple vulnerabilities in Node.js

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026062248

SB2026062248 - Multiple vulnerabilities in Node.js

Published: June 22, 2026

Security Bulletin ID SB2026062248
CSH Severity
High
Patch available
YES
Number of vulnerabilities 12
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 8% Medium 58% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 12 vulnerabilities.


1) Integer overflow (CVE-ID: CVE-2026-48933)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer overflow in the WebCrypto subtle.encrypt() implementation when processing input whose size is a multiple of 2 gib. A remote attacker can supply crafted input to cause a denial of service.


2) Input validation error (CVE-ID: CVE-2026-48618)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to bypass tls wildcard-depth authentication.

The vulnerability exists due to improper input validation in TLS hostname handling when normalizing hostnames with unicode dot separators. A remote attacker can present a crafted hostname to bypass tls wildcard-depth authentication.

This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.


3) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2026-48615)

CWE-ID: CWE-532 - Information Exposure Through Log Files

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper handling of sensitive information in ERR_PROXY_TUNNEL error messages when processing proxy URLs with embedded credentials. A remote user can trigger an error handling path to disclose sensitive information.

The exposed data may be captured by logs, diagnostics, or other error consumers.


4) Improper access control (CVE-ID: CVE-2026-48617)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass the intended security boundary.

The vulnerability exists due to improper access control in process.report.writeReport() path validation when enforcing the permission model. A local user can provide a crafted path to bypass the intended security boundary.

This can lead to confidentiality impact under affected configurations.


5) Resource exhaustion (CVE-ID: CVE-2026-48619)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in node:http2 clients when processing attacker-controlled ORIGIN frames. A remote attacker can send an unlimited number of ORIGIN frames to cause a denial of service.

The issue can lead to an out-of-memory condition on the client.


6) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-48937)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in the HTTP/2 server API when handling invalid protocol errors after sending a GOAWAY frame. A remote attacker can continue sending data to cause a denial of service.


7) Improper validation of certificate with host mismatch (CVE-ID: CVE-2026-48928)

CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass mTLS authorization.

The vulnerability exists due to case-sensitive hostname matching in SNI context matching when selecting contexts in multi-context mTLS setups. A remote attacker can use an uppercase hostname to bypass mTLS authorization.


8) Improper Null Termination (CVE-ID: CVE-2026-48930)

CWE-ID: CWE-170 - Improper Null Termination

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass hostname-based authority checks.

The vulnerability exists due to c-string truncation in resolver bindings in TLS hostname handling when processing hostnames containing an embedded nul character. A remote attacker can present a crafted hostname to bypass hostname-based authority checks.


9) Improper Certificate Validation (CVE-ID: CVE-2026-48934)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass certificate validation.

The vulnerability exists due to improper certificate validation in TLS host verification when reusing a session with a different servername. A remote attacker can reuse a session with a different servername to bypass certificate validation.


10) Improper access control (CVE-ID: CVE-2026-48935)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to modify file metadata outside intended permission restrictions.

The vulnerability exists due to improper access control in FileHandle.utimes() in the promises API when enforcing read-only filesystem permissions. A local user can invoke FileHandle.utimes() on a read-only path to modify file metadata outside intended permission restrictions.


11) Improper access control (CVE-ID: CVE-2026-48936)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass network permission restrictions.

The vulnerability exists due to improper access control in the Permission API when starting a local server over a Unix domain socket without --allow-net permission. A local user can start a local server over a Unix domain socket to bypass network permission restrictions.

This issue is described as an incomplete fix for CVE-2026-21636.


12) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-48931)

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to poison the HTTP response queue.

The vulnerability exists due to a time-of-check time-of-use race condition in http.Agent when accepting a response before the client has sent the request. A remote attacker can send a response early to poison the HTTP response queue.


Remediation

Install update from vendor's website.

References