CVE-2026-21714 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-21714

CVE-2026-21714

Published:March 30, 2026

Updated:April 23, 2026

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.

Affected Packages

https://github.com/nodejs/node.git (GITHUB):

Affected version(s) >=v20.0.0 <v20.20.2

Fix Suggestion:

Update to version v20.20.2

https://github.com/nodejs/node.git (GITHUB):

Affected version(s) >=v25.0.0 <v25.8.2

Fix Suggestion:

Update to version v25.8.2

https://github.com/nodejs/node.git (GITHUB):

Affected version(s) >=v24.0.0 <v24.14.1

Fix Suggestion:

Update to version v24.14.1

https://github.com/nodejs/node.git (GITHUB):

Affected version(s) >=v22.0.0 <v22.22.2

Fix Suggestion:

Update to version v22.22.2

Related Resources (1)

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

Do you need more information?

CVSS v3

Base Score:

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Weakness Type (CWE)

Missing Release of Memory after Effective Lifetime

CWE-401

EPSS

Base Score:

0.01

Products

Solutions

Resources

Company

Compare

Developer Tools