CVE-2026-21637
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-20

Last updated on: 2026-01-30

Assigner: HackerOne

Description
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21637
EUVD
EUVD-2026-3327
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
nodejs node.js From 4.0.0 (inc) to 20.20.0 (exc)
nodejs node.js From 22.0.0 (inc) to 22.22.0 (exc)
nodejs node.js From 24.0.0 (inc) to 24.13.0 (exc)
nodejs node.js From 25.0.0 (inc) to 25.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in Node.js TLS error handling where synchronous exceptions thrown during the pskCallback or ALPNCallback bypass the standard TLS error handling. This can cause the TLS server process to terminate immediately or leak file descriptors silently, leading to resource exhaustion. The issue arises because these callbacks handle attacker-controlled input during the TLS handshake, allowing a remote attacker to repeatedly trigger the problem.

Impact Analysis

The vulnerability can impact you by allowing remote attackers to crash your TLS server or exhaust its resources, resulting in denial of service. This happens because the server may terminate unexpectedly or leak resources when handling certain TLS handshake callbacks, which attackers can exploit repeatedly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21637. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart