CVE-2026-21714

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions Node.js versions 20 through 25

Description A memory leak can occur in Node.js HTTP/2 servers when a client sends WINDOW UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server sends a GOAWAY frame, but the Http2Session object is not properly cleaned up. The WINDOW UPDATE frames are related to the HTTP/2 protocol's flow control mechanism, which manages the amount of data a sender can transmit before receiving acknowledgment from the receiver. Exceeding the maximum flow control window value can lead to resource exhaustion and potentially denial-of-service conditions.

Recommendations Update to a newer version of Node.js that contains a fix for this vulnerability.

Fix

Memory Leak

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-401CWE-400

Related Identifiers

ALSA-2026:7350

ALSA-2026:7670

ALSA-2026:7675

BDU:2026-04836

BIT-NODE-2026-21714

BIT-NODE-MIN-2026-21714

CVE-2026-21714

MGASA-2026-0071

OESA-2026-1951

OESA-2026-1952

OESA-2026-1953

OESA-2026-1954

OPENSUSE-SU-2026:10504-1

OPENSUSE-SU-2026:20519-1

RHSA-2026:7350

RHSA-2026:7670

RHSA-2026:7675

SUSE-SU-2026:1299-1

SUSE-SU-2026:1363-1

SUSE-SU-2026:1371-1

SUSE-SU-2026:1478-1

SUSE-SU-2026:1509-1

SUSE-SU-2026:21181-1

Affected Products

Node.Js

Rocky Linux

CVE-2026-21714

Weakness Enumeration

Related Identifiers

Affected Products

References · 124