CVE-2026-21714 — Missing Release of Memory after Effective Lifetime in Node

CWE-401 — Missing Release of Memory after Effective Lifetime CWE-772 — Missing Release of Resource after Effective Lifetime9 documents8 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 97.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Nodejs Node

Timeline

PublishedMar 30

Description

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶Alpinenodejs/nodejs< 22.22.2-r0+2

▶Debiannodejs/nodejs< 20.19.2+dfsg-1+deb13u2+1

▶CVEListV5nodejs/node20.20.1 — 20.20.1+3

🔴Vulnerability Details

OSV

CVE-2026-21714: A memory leak occurs in Node↗2026-03-30

▶

CVEList

CVE-2026-21714: A memory leak occurs in Node↗2026-03-30

▶

OSV

CVE-2026-21714: A memory leak occurs in Node↗2026-03-30

▶

GHSA

GHSA-cfr8-f5q7-84wq: A memory leak occurs in Node↗2026-03-30

▶

📋Vendor Advisories

Red Hat

Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames↗2026-03-30

▶

Debian

CVE-2026-21714: nodejs - A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-21714 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-21714 Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames↗2026-03-30

▶