Node.js ships June 18 security release — 12 CVEs across v22, v24, v26

The Node.js project shipped its June 18, 2026 coordinated security release across all supported lines — v22.23.0 (LTS), v24.17.0 (LTS) and v26.3.1 (Current) — closing 12 CVEs. The two High-severity items are CVE-2026-48618, a TLS hostname-normalization mismatch that lets attackers bypass wildcard certificate validation, and CVE-2026-48933, an integer overflow in WebCrypto that crashes the process on any input that is a multiple of 2 GiB. The primary source is the Node.js security release blog post for June 2026; per-line release notes ship at v22.23.0, v24.17.0 and v26.3.1 with the same CVE table.

The two High-severity bugs

CVE-2026-48618 — TLS wildcard-depth authentication bypass. Node's TLS hostname verifier and its DNS resolver disagree on how to normalize Unicode dot separators in hostnames. The resolver collapses Unicode look-alike dots into ASCII .; the verifier does not. An attacker who controls a subdomain of a wildcard-certified host — *.example.com — can craft a hostname that the resolver routes to attacker infrastructure but that the verifier checks against a different label than the one your application thinks it is talking to. Teams relying on *.example.com certs plus Node's built-in identity verification (the default for https.request, tls.connect, undici, fetch) are the at-risk population. Credit: Matteo Collina.

CVE-2026-48933 — WebCrypto subtle.encrypt() integer overflow DoS. Passing input whose length is an exact multiple of 2 GiB to crypto.subtle.encrypt() triggers an integer overflow that crashes the worker. Any service that decrypts attacker-controlled blobs through WebCrypto — file-encryption services, blob upload pipelines that re-wrap keys, password vaults using PBKDF-derived AES-GCM — can be reduced to a restart loop with one upload. Credit: Filip Skokan.

Medium- and Low-severity items worth flagging

The remaining CVEs cluster around three themes the Node project has been steadily hardening:

• TLS / mTLS identity edge cases. CVE-2026-48928 (case-sensitive SNI context matching), CVE-2026-48930 (embedded-NUL hostname rebinding) and CVE-2026-48934 (TLS session reuse not bound to the authenticated host). Multi-tenant TLS terminators and reverse proxies that share a session cache across virtual hosts are the population most exposed.
• HTTP/2 resource accounting. CVE-2026-48619 caps originSet size so that a malicious upstream cannot flood an HTTP/2 client with unbounded ORIGIN frames; CVE-2026-48937 closes nghttp2 integration gaps where invalid protocol errors did not cleanly tear down the stream (v22 and v24 only — v26 already shipped the newer nghttp2). CVE-2026-48931 fixes a TOCTOU race in http.Agent that could let an attacker poison the response queue.
• Permission-model bypasses. CVE-2026-48617 (writeReport path validation), CVE-2026-48935 (FileHandle.utimes() ignoring read-only scope) and CVE-2026-48936 (Unix domain sockets bypassing --allow-net, an explicit follow-up fix for the incomplete CVE-2026-21636 patch — v26 only). If you rely on --permission as a sandbox boundary, this release is mandatory.

One credentials-leak fix rounds out the set: CVE-2026-48615 redacts proxy credentials embedded in proxy URLs so they no longer leak into ERR_PROXY_TUNNEL error messages and downstream telemetry.

Exploitation status

None of the 12 are listed as exploited in the wild by the Node.js security team. There is no public PoC at the time of this release. The advisories were embargoed and shipped together as a coordinated cycle, with credit attributed to Matteo Collina (eight items), RafaelGSS (three), Filip Skokan (one) and Tim Perry (one).

That posture is not load-bearing for the TLS wildcard bypass. Once the diff is public, the behavioral description — Unicode dot mismatch between resolver and verifier — is small enough to reproduce by reading the patch. Defenders relying on wildcard certs as a confidentiality boundary should treat 48618 as patch-now regardless of the lack of in-the-wild reporting today.

Action checklist

1. Upgrade to v22.23.0, v24.17.0 or v26.3.1 depending on your release line. Container base images need a rebuild and a redeploy — apt/apk channels for the official Docker images typically take 24–48 hours to refresh after the release.
2. If you operate on the --permission sandbox, this release closes three bypasses including an incomplete fix for CVE-2026-21636 (UDS). Audit any code that opens AF_UNIX sockets or writes diagnostic reports under a permission-restricted runtime — the failure mode is silent until you patch.
3. For TLS terminators with shared session caches across virtual hosts, the combination of CVE-2026-48928 and CVE-2026-48934 means a session minted for host-a.example.com could be reused against host-b.example.com if the SNI matching was case-fudged. Patch first; if patching is delayed, disable TLS session reuse (secureContext per host, no shared cache).
4. Wildcard certificate users (CVE-2026-48618): inventory which services consume *.foo.tld certificates over Node-native TLS. There is no configuration mitigation — the patch is the fix.
5. HTTP/2 clients that hit untrusted origins (CVE-2026-48619): until patched, set a low timeout on outbound HTTP/2 sessions and watch for unbounded heap growth in workers that originate connections to attacker-controllable URLs (webhook receivers, link-preview services).

Context

This is the third Node.js security release in 2026 to ship a permission-model patch — the model is still maturing, and incomplete fixes (CVE-2026-21636 → CVE-2026-48936) are now part of the rhythm. The pattern matters operationally: --permission is not yet a hardening boundary you can lean on for adversarial multi-tenancy. Treat it as defense-in-depth alongside OS-level sandboxing (seccomp, AppArmor, Landlock), not a replacement.

The dependency-update line in this release also lands OpenSSL 3.5.7, llhttp 9.4.2, nghttp2 1.69.0 and undici 8.5.0 / 7.28.0 / 6.27.0. If you maintain a custom Node build or vendor any of these libraries downstream of the Node tarball, the cascade is on you to schedule.