CVE-2026-21714 Overview
A memory leak vulnerability exists in Node.js HTTP/2 servers when processing malformed WINDOW_UPDATE frames. When a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1, the server correctly sends a GOAWAY frame to terminate the connection. However, due to improper resource cleanup, the Http2Session object is never deallocated, leading to memory exhaustion over time.
This vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime), a memory management flaw that can result in denial of service conditions when exploited repeatedly.
Critical Impact
Attackers can exhaust server memory by repeatedly establishing HTTP/2 connections and sending malicious WINDOW_UPDATE frames, causing denial of service without authentication.
Affected Products
- Node.js 20.x (HTTP/2 servers)
- Node.js 22.x (HTTP/2 servers)
- Node.js 24.x (HTTP/2 servers)
- Node.js 25.x (HTTP/2 servers)
Discovery Timeline
- 2026-03-30 - CVE CVE-2026-21714 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-21714
Vulnerability Analysis
The vulnerability resides in the HTTP/2 implementation within Node.js, specifically in how the server handles connection-level flow control. HTTP/2 uses flow control windows to manage data transmission rates between client and server. The flow control window is a 32-bit unsigned integer that tracks how much data can be sent.
When a client sends WINDOW_UPDATE frames targeting stream 0 (the connection-level stream), these frames increment the flow control window. The HTTP/2 specification mandates that this window cannot exceed 2³¹-1 bytes. Node.js correctly detects this overflow condition and responds with a GOAWAY frame to gracefully terminate the connection.
However, the vulnerability occurs in the cleanup path following this GOAWAY frame transmission. The Http2Session object, which encapsulates the connection state, associated buffers, and stream metadata, is not properly released from memory. Each failed connection leaves orphaned session objects that accumulate over time.
Root Cause
The root cause is a missing deallocation of the Http2Session object in the error handling path when a GOAWAY frame is sent due to flow control window overflow. The cleanup routine that normally releases session resources is bypassed when this specific error condition triggers the connection termination. This constitutes a classic CWE-401 vulnerability where memory allocated during session creation is never freed after the session becomes invalid.
Attack Vector
An attacker can exploit this vulnerability remotely over the network without any authentication or user interaction. The attack methodology involves:
- Establishing an HTTP/2 connection to the target Node.js server
- Sending multiple WINDOW_UPDATE frames on stream 0 with large window size increments
- Continuing until the cumulative window size exceeds 2³¹-1
- Repeating the process with new connections to accumulate orphaned sessions
The attack is particularly effective because the server performs the computationally expensive work of session creation and then fails to reclaim those resources. An attacker with modest bandwidth can trigger significant memory consumption on the server by cycling through connections rapidly.
Detection Methods for CVE-2026-21714
Indicators of Compromise
- Unusual volume of HTTP/2 connections with very short lifespans and GOAWAY terminations
- Server memory usage gradually increasing without corresponding increase in legitimate traffic
- Elevated count of WINDOW_UPDATE frames in HTTP/2 traffic logs targeting stream 0
- Connection reset patterns following rapid WINDOW_UPDATE frame sequences
Detection Strategies
- Monitor HTTP/2 server processes for steadily increasing memory consumption (RSS/heap growth)
- Analyze HTTP/2 frame logs for anomalous WINDOW_UPDATE patterns on connection-level streams
- Implement alerting on GOAWAY frames triggered by flow control overflow errors
- Deploy application performance monitoring to track Http2Session object counts
Monitoring Recommendations
- Enable verbose HTTP/2 logging to capture frame-level details for forensic analysis
- Set memory utilization thresholds for Node.js processes with automated alerts
- Track connection establishment and termination rates to identify attack patterns
- Monitor for connections that send excessive WINDOW_UPDATE frames before data transfer
How to Mitigate CVE-2026-21714
Immediate Actions Required
- Upgrade Node.js to the patched version as referenced in the Node.js March 2026 Security Blog
- Implement rate limiting on incoming HTTP/2 connections to slow potential exploitation
- Configure maximum connection limits per client IP address
- Monitor server memory usage and configure automatic process recycling if thresholds are exceeded
Patch Information
The Node.js team has released security updates addressing this vulnerability. Detailed patch information and affected version ranges are available in the Node.js March 2026 Security Blog. Organizations should prioritize updating to patched versions of Node.js 20, 22, 24, and 25.
Workarounds
- If HTTP/2 is not required, disable it and use HTTP/1.1 until patches can be applied
- Deploy a reverse proxy (such as nginx or HAProxy) that handles HTTP/2 termination and forwards HTTP/1.1 to Node.js
- Implement connection rate limiting at the network or load balancer level
- Configure operating system-level memory limits for Node.js processes to prevent complete resource exhaustion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
