CVE-2026-21714 is a vulnerability in the Node.js HTTP/2 implementation affecting versions 20.20.1, 22.22.1, 24.14.0, and 25.8.1. The flaw occurs when a malicious client sends WINDOW_UPDATE frames on stream 0 (the connection-level stream) that cause the HTTP/2 flow control window to exceed the maximum allowed value of 2³¹-1 (2,147,483,647). While the Node.js server correctly detects this protocol violation and responds by sending a GOAWAY frame to terminate the connection, it fails to properly clean up the Http2Session object associated with that connection. This results in a memory leak, as the session object remains allocated in memory despite the connection being closed. Over time, repeated exploitation can cause the server to consume increasing amounts of memory, potentially leading to resource exhaustion and denial-of-service (DoS). The vulnerability does not affect confidentiality or integrity since it does not allow data leakage or modification. It is remotely exploitable without authentication or user interaction, making it accessible to any attacker able to establish an HTTP/2 connection to the server. The issue impacts the availability of Node.js HTTP/2 servers, especially those exposed to untrusted clients or the public internet. No patches or mitigations are linked in the provided data, and no known exploits are reported in the wild as of the publication date. The vulnerability was reserved on January 4, 2026, and published on March 30, 2026, with a CVSS v3.0 score of 5.3, reflecting a medium severity level primarily due to its impact on availability and ease of exploitation.

The primary impact of CVE-2026-21714 is on the availability of Node.js HTTP/2 servers. The memory leak caused by improper cleanup of Http2Session objects can lead to gradual memory exhaustion, resulting in degraded server performance or crashes. This can cause denial-of-service conditions, disrupting services that rely on Node.js HTTP/2 servers. Organizations running web applications, APIs, or microservices on affected Node.js versions are at risk of service interruptions, which can affect user experience, business continuity, and potentially lead to financial losses. Since the vulnerability does not affect confidentiality or integrity, data breaches are not a direct concern. However, the ease of exploitation without authentication means attackers can launch DoS attacks remotely, increasing the threat surface. Large-scale or automated exploitation could impact cloud providers, SaaS platforms, and enterprises with public-facing Node.js HTTP/2 services, especially those with high traffic volumes or limited resource monitoring.

Organizations should immediately identify and inventory Node.js HTTP/2 servers running affected versions (20.20.1, 22.22.1, 24.14.0, 25.8.1). The primary mitigation is to apply official patches or updates from the Node.js project once available. In the absence of patches, administrators can implement network-level controls such as rate limiting or filtering to restrict or block suspicious WINDOW_UPDATE frames or abnormal HTTP/2 traffic patterns. Deploying Web Application Firewalls (WAFs) with HTTP/2 protocol anomaly detection can help mitigate exploitation attempts. Monitoring server memory usage and setting alerts for unusual memory growth can provide early warning of exploitation. Additionally, consider disabling HTTP/2 support temporarily if it is not essential or if mitigation controls are insufficient. Regularly review Node.js release notes and security advisories for updates. Finally, ensure that HTTP/2 implementations are hardened by following best practices for flow control and connection management.