CVE-2026-21714

MEDIUM

Node.js 20.20.1 22.22.1 24.14.0 25.8.1 - Memory Leak via HTTP/2 WINDOW_UPDATE Frames

Title source: llm

Description

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.

References (1)

Core 1

Core References

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

Scores

CVSS v3 5.3

EPSS 0.0045

EPSS Percentile 35.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-401

Status published

Products (4)

nodejs/node 20.20.1

nodejs/node 22.22.1

nodejs/node 24.14.0

nodejs/node 25.8.1

Published Mar 30, 2026

Tracked Since Mar 31, 2026