2453161 – (CVE-2026-21714) CVE-2026-21714 Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames

Bug 2453161 (CVE-2026-21714) - CVE-2026-21714 Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames

Summary: CVE-2026-21714 Node.js: Node.js: Memory leak and Denial of Service via crafte...

Keywords:
Status:	NEW
Alias:	CVE-2026-21714
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2453567 2453568 2453569
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-30 20:02 UTC by OSIDB Bzimport
Modified:	2026-03-31 21:56 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-30 20:02:29 UTC

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.

This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.

Note You need to log in before you can comment on or make changes to this bug.