CVE-2026-21714
Received Received - Intake
Memory Leak in Node.js HTTP/2 Server via WINDOW_UPDATE Frames

Publication date: 2026-03-30

Last updated on: 2026-03-31

Assigner: HackerOne

Description
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2Β³ΒΉ-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-21714
EUVD
EUVD-2026-17176
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
nodejs node.js 20
nodejs node.js 22
nodejs node.js 24
nodejs node.js 25
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a memory leak in Node.js HTTP/2 servers. It happens when a client sends WINDOW_UPDATE frames on stream 0 (which is the connection-level stream) that increase the flow control window beyond its maximum allowed value of 2Β³ΒΉ-1. Although the server responds correctly by sending a GOAWAY frame to terminate the connection, it fails to clean up the associated Http2Session object, causing memory to be retained unnecessarily.

Impact Analysis

The impact of this vulnerability is a memory leak on the server running Node.js HTTP/2. Over time, if exploited, this can cause increased memory usage leading to degraded server performance or even crashes due to exhaustion of available memory. This can affect the availability of services relying on the vulnerable Node.js versions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21714. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart