{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21714", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.574Z", "datePublished": "2026-03-30T19:07:28.317Z", "dateUpdated": "2026-03-30T19:07:28.317Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2\u00b3\u00b9-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "20.20.1", "status": "affected", "lessThanOrEqual": "20.20.1", "versionType": "semver"}, {"version": "22.22.1", "status": "affected", "lessThanOrEqual": "22.22.1", "versionType": "semver"}, {"version": "24.14.0", "status": "affected", "lessThanOrEqual": "24.14.0", "versionType": "semver"}, {"version": "25.8.1", "status": "affected", "lessThanOrEqual": "25.8.1", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.317Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2\u00b3\u00b9-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25."}], "id": "CVE-2026-21714", "lastModified": "2026-03-30T20:16:19.573", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:19.573", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-30T20:23:24.133758+00:00", "value": {"mitigation_remediation": ["Upgrade Node.js to the patched version that addresses the memory leak"], "summary": {"action": "Apply Patch", "impact": "Memory Leak / Denial of Service"}, "threat_synthesis": {"affected_systems": "HTTP/2 users running Node.js versions 20, 22, 24, and 25 on any supported platform are affected. The vulnerability is present in the core Node.js implementation for HTTP/2.", "description_and_impact": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames that cause the flow control window to exceed the maximum value of 2\u00b3\u00b9\u20111. The server sends a GOAWAY frame but fails to clean up the Http2Session object, which persists in memory. Over time this can consume significant memory and potentially lead to service disruption if the leak is not addressed.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity; EPSS data is unavailable and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires a client capable of sending oversized WINDOW_UPDATE frames over an HTTP/2 connection, which is feasible for any entity that can initiate HTTP/2 traffic to the affected server. The attack vector is inferred as remote; mitigation depends on applying the official patch."}}}}, "created": "2026-03-30T20:55:14.078627+00:00", "title": "Node.js HTTP/2 Server Memory Leak due to WINDOW_UPDATE Frames", "updated": "2026-03-30T20:55:14.078660+00:00", "vendors": [], "weaknesses": ["CWE-400"]}