{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-30T19:07:28Z",
  "bugzilla" : {
    "description" : "Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames",
    "id" : "2453161",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2453161"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-772",
  "details" : [ "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.", "A flaw was found in Node.js. A remote attacker can exploit this vulnerability in Node.js HTTP/2 servers by sending specially crafted WINDOW_UPDATE frames on stream 0 (connection-level). These frames can cause the flow control window to exceed its maximum value, leading to a memory leak as Http2Session objects are not properly cleaned up. This can result in resource exhaustion and a Denial of Service (DoS) condition for the server." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-04-13T00:00:00Z",
    "advisory" : "RHSA-2026:7675",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "nodejs24-1:24.14.1-2.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-04-13T00:00:00Z",
    "advisory" : "RHSA-2026:7670",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:24-8100020260408131901.6d880403"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-04-09T00:00:00Z",
    "advisory" : "RHSA-2026:7350",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:24-9070020260402152654.rhel9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "nodejs22",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "nodejs:20/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "nodejs:22/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "nodejs:20/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "nodejs:22/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-21714\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21714\nhttps://nodejs.org/en/blog/vulnerability/march-2026-security-releases" ],
  "name" : "CVE-2026-21714",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}