Medium severity5.3NVD Advisory· Published Mar 30, 2026· Updated Apr 1, 2026
CVE-2026-21714
CVE-2026-21714
Description
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.
This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
36- osv-coords35 versionspkg:apk/chainguard/nodejs-22pkg:apk/wolfi/nodejs-22pkg:bitnami/nodepkg:bitnami/node-minpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs24pkg:rpm/almalinux/nodejs24-develpkg:rpm/almalinux/nodejs24-docspkg:rpm/almalinux/nodejs24-full-i18npkg:rpm/almalinux/nodejs24-libspkg:rpm/almalinux/nodejs24-npmpkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-libspkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/nodejs-packaging-bundlerpkg:rpm/almalinux/npmpkg:rpm/almalinux/v8-13.6-develpkg:rpm/opensuse/nodejs24&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/nodejs24&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs26&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7pkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/nodejs24&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7pkg:rpm/suse/nodejs24&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/nodejs24&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 22.22.3-r0+ 34 more
- (no CPE)range: < 22.22.3-r0
- (no CPE)range: < 22.22.3-r0
- (no CPE)range: < 20.20.2
- (no CPE)range: < 20.20.2
- (no CPE)range: < 1:24.14.1-2.module_el9.7.0+222+ef1c61e1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:24.14.1-2.el10_1
- (no CPE)range: < 1:11.11.0-1.24.14.1.2.el10_1
- (no CPE)range: < 1:24.14.1-2.module_el9.7.0+222+ef1c61e1
- (no CPE)range: < 1:24.14.1-2.module_el9.7.0+222+ef1c61e1
- (no CPE)range: < 1:24.14.1-2.module_el9.7.0+222+ef1c61e1
- (no CPE)range: < 1:24.14.1-2.module_el9.7.0+222+ef1c61e1
- (no CPE)range: < 3.0.3-3.module_el9.7.0+209+ecf6523e
- (no CPE)range: < 2021.06-6.module_el9.7.0+209+ecf6523e
- (no CPE)range: < 2021.06-6.module_el9.7.0+198+8bf605ba
- (no CPE)range: < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
- (no CPE)range: < 3:13.6.233.17-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
- (no CPE)range: < 24.14.1-160000.1.1
- (no CPE)range: < 24.14.1-1.1
- (no CPE)range: < 26.3.1-1.1
- (no CPE)range: < 20.20.2-150500.11.27.1
- (no CPE)range: < 20.20.2-150500.11.27.1
- (no CPE)range: < 20.20.2-150500.11.27.1
- (no CPE)range: < 20.20.2-150600.3.18.1
- (no CPE)range: < 20.20.2-150500.11.27.1
- (no CPE)range: < 20.20.2-150600.3.18.1
- (no CPE)range: < 22.22.2-150700.3.9.1
- (no CPE)range: < 22.22.2-150600.13.15.1
- (no CPE)range: < 22.22.2-150600.13.15.1
- (no CPE)range: < 24.14.1-150700.15.8.1
- (no CPE)range: < 24.14.1-160000.1.1
- (no CPE)range: < 24.14.1-160000.1.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.