Description
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.

This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
Published: 2026-03-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Apply Patch
AI Analysis

Impact

A memory leak in the Node.js HTTP/2 implementation occurs when a client sends WINDOW_UPDATE frames on the connection stream, causing the flow control window to exceed its 32‑bit signed maximum. The server sends a GOAWAY frame but fails to clean up the associated Http2Session object, allowing its memory usage to grow unchecked, which can eventually deplete system memory and result in service interruption.

Affected Systems

Node.js 20, 22, 24, and 25 running HTTP/2 servers. The flaw resides in the core node runtime and affects any application that uses the http2 module without additional mitigation.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests that exploitation is unlikely in the near term. The vulnerability is not listed in the CISA KEV catalog, further implying a lower exploitation probability. An attacker can trigger the leak by establishing an HTTP/2 connection to the target and sending specially crafted WINDOW_UPDATE frames on stream 0. Because the flaw is triggered by client‑initiated actions, remote exploitation is possible over any open HTTP/2 port. The primary risk is resource exhaustion that could prevent legitimate traffic, which is why a patch is strongly advised.

Generated by OpenCVE AI on March 31, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Node.js to a version that includes the HTTP/2 window update fix.
  • If an upgrade is unavailable, monitor memory consumption of HTTP/2 sessions and terminate any that grow excessively.
  • Limit or rate‑limit HTTP/2 connections from unauthenticated or untrusted clients to reduce the likelihood of a sustained leak.

Generated by OpenCVE AI on March 31, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6183-1 nodejs security update
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Node.js HTTP/2 Server Memory Leak due to WINDOW_UPDATE Frames Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames
First Time appeared Nodejs
Nodejs nodejs
Weaknesses CWE-400 CWE-772
Vendors & Products Nodejs
Nodejs nodejs
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Node.js HTTP/2 Server Memory Leak due to WINDOW_UPDATE Frames
Weaknesses CWE-400

Mon, 30 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
References
Metrics cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-03-31T18:05:22.283Z

Reserved: 2026-01-04T15:00:06.574Z

Link: CVE-2026-21714

cve-icon Vulnrichment

Updated: 2026-03-31T16:15:18.022Z

cve-icon NVD

Status : Received

Published: 2026-03-30T20:16:19.573

Modified: 2026-03-31T18:16:45.390

Link: CVE-2026-21714

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-30T19:07:28Z

Links: CVE-2026-21714 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:27Z

Weaknesses