What is CVE-2026-21714?

CVE-2026-21714 is a medium-severity vulnerability in Nodejs Node. CVSS score: 5.3/10. Published 2026-03-30.

How severe is CVE-2026-21714?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Vulnerability in Nodejs Node

CVE-2026-21714

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but…

EPSS: 0.000 (5.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

Affected products

Nodejs Node — versions 20.20.1, 22.22.1, 24.14.0

References

nodejs.org/en/blog/vulnerability/march-2026-security-releases

Frequently asked questions

What is CVE-2026-21714?: CVE-2026-21714 is a medium-severity vulnerability in Nodejs Node. CVSS score: 5.3/10. Published 2026-03-30.
How severe is CVE-2026-21714?: Medium severity. CVSS v3 base score is 5.3 out of 10.