A flaw in the Node.js WebCrypto module causes the runtime to crash when the input to `subtle.encrypt()` is a size that is a multiple of 2 GiB. This integer overflow error triggers an unhandled exception, terminating the Node.js process and creating a denial of service. The crash can disturb services that rely on encryption or any feature that indirectly invokes WebCrypto, potentially affecting availability of affected applications. This issue corresponds to CWE-190 and CWE-770.

The vulnerability impacts all supported Node.js release lines, including Node.js 22, 24, and 26. Any deployment of these versions that employs the `subtle.encrypt()` API is susceptible. No other Node.js versions or optional modules are included in the affected scope according to the CNA release note.

It is inferred that the crash can be triggered by providing a crafted input payload that aligns with the 2 GiB multiple the description, it is inferred that an attacker could exploit this remotely if they can send such input to a Node.js process that uses WebCrypto, leading to service interruption. This vulnerability involves an integer overflow and an allocation size limit exceeded condition, which can be exhaustion issue. The CVSS score of 7.5 indicates a high severity, while the EPSS score of < 1% shows a very low but nonzero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, but the substantial impact warrants immediate patching.