{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21714", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.574Z", "datePublished": "2026-03-30T19:07:28.317Z", "dateUpdated": "2026-03-31T18:05:22.283Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2\u00b3\u00b9-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "20.20.1", "status": "affected", "lessThanOrEqual": "20.20.1", "versionType": "semver"}, {"version": "22.22.1", "status": "affected", "lessThanOrEqual": "22.22.1", "versionType": "semver"}, {"version": "24.14.0", "status": "affected", "lessThanOrEqual": "24.14.0", "versionType": "semver"}, {"version": "25.8.1", "status": "affected", "lessThanOrEqual": "25.8.1", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.317Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-401", "lang": "en", "description": "CWE-401 Missing Release of Memory after Effective Lifetime"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T16:14:45.777607Z", "id": "CVE-2026-21714", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:05:22.283Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "20.20.1", "versionType": "semver", "lessThanOrEqual": "20.20.1"}, {"status": "affected", "version": "22.22.1", "versionType": "semver", "lessThanOrEqual": "22.22.1"}, {"status": "affected", "version": "24.14.0", "versionType": "semver", "lessThanOrEqual": "24.14.0"}, {"status": "affected", "version": "25.8.1", "versionType": "semver", "lessThanOrEqual": "25.8.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "descriptions": [{"lang": "en", "value": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2\u00b3\u00b9-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.317Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21714", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T16:14:45.777607Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-31T16:15:18.022Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-21714", "state": "PUBLISHED", "dateUpdated": "2026-03-30T19:07:28.317Z", "dateReserved": "2026-01-04T15:00:06.574Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-03-30T19:07:28.317Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2\u00b3\u00b9-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25."}, {"lang": "es", "value": "Se produce una fuga de memoria en servidores HTTP/2 de Node.js cuando un cliente env\u00eda tramas WINDOW_UPDATE en el flujo 0 (a nivel de conexi\u00f3n) que hacen que la ventana de control de flujo exceda el valor m\u00e1ximo de 2\u00b3\u00b9-1. El servidor env\u00eda correctamente una trama GOAWAY, pero el objeto Http2Session nunca se limpia.\n\nEsta vulnerabilidad afecta a los usuarios de HTTP2 en Node.js 20, 22, 24 y 25."}], "id": "CVE-2026-21714", "lastModified": "2026-04-01T14:24:21.833", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:19.573", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames", "id": "2453161", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453161"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-772", "details": ["A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2\u00b3\u00b9-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.", "A flaw was found in Node.js. A remote attacker can exploit this vulnerability in Node.js HTTP/2 servers by sending specially crafted WINDOW_UPDATE frames on stream 0 (connection-level). These frames can cause the flow control window to exceed its maximum value, leading to a memory leak as Http2Session objects are not properly cleaned up. This can result in resource exhaustion and a Denial of Service (DoS) condition for the server."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-21714", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nodejs22", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nodejs24", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-30T19:07:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21714\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21714\nhttps://nodejs.org/en/blog/vulnerability/march-2026-security-releases"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "20.20.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "22.22.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "24.14.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "25.8.1"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "node", "source": "cna", "vendor": "nodejs"}, "product": "nodejs", "vendor": "nodejs"}], "analysis": {"en": {"generated_at": "2026-04-01T05:40:18.816966+00:00", "value": {"mitigation_remediation": ["Upgrade Node.js to a patched release that eliminates the memory leak.", "Restart your Node.js HTTP/2 servers to clear any remaining leaked sessions after the upgrade.", "Monitor server memory usage and network traffic for sudden spikes that could indicate an attempted exploitation."], "summary": {"action": "Apply Patch", "impact": "Memory Leak leading to Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw is present in Node.js HTTP/2 implementations running versions 20, 22, 24, and 25. Systems that expose HTTP/2 services and are built on these Node.js releases are vulnerable. No other Node.js versions were listed as affected.", "description_and_impact": "A memory leak in Node.js HTTP/2 servers occurs when the server receives WINDOW_UPDATE frames on stream 0 that increase the flow control window beyond 2\u00b3\u00b9-1. The server sends a GOAWAY frame to terminate the connection but does not clean up the Http2Session object. The retained session consumes memory, leading to resource exhaustion and enabling a denial\u2011of\u2011service attack. This weakness falls under memory management and resource cleanup failures, aligned with CWE\u2011401 and CWE\u2011772.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity, reflecting that the attack requires a client that can send crafted HTTP/2 frames. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not included in the CISA KEV catalog. Exploitation would involve a remote client sending oversized WINDOW_UPDATE frames over an HTTP/2 connection; because the server spawns an unreleased session, persistent memory use can culminate in service disruption."}}}}, "created": "2026-03-30T20:55:14.078627+00:00", "updated": "2026-04-02T07:54:06.600838+00:00", "vendors": ["nodejs", "nodejs$PRODUCT$nodejs"]}