Node.js HTTP/2 Memory Leak via WINDOW_UPDATE Overflow
CVE-2026-21714 Published on March 30, 2026
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
Weakness Type
What is a Memory Leak Vulnerability?
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.
CVE-2026-21714 has been classified to as a Memory Leak vulnerability or weakness.
Affected Versions
nodejs node:- Version 20.20.1, <= 20.20.1 is affected.
- Version 22.22.1, <= 22.22.1 is affected.
- Version 24.14.0, <= 24.14.0 is affected.
- Version 25.8.1, <= 25.8.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.