Vulnerabilities ›

CVE-2026-21637

High

CWE-400 — Weakness Type

                    Published: Jan 20, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.

🤖 AI Executive Summary

CVE-2026-21637 is a high-severity denial of service vulnerability in Node.js TLS error handling affecting servers using PSK or ALPN callbacks. Remote attackers can crash TLS servers or exhaust resources by triggering synchronous exceptions during the TLS handshake, bypassing standard error handling mechanisms. This vulnerability poses significant risk to Saudi organizations running Node.js-based services, particularly in financial and government sectors where TLS is critical for secure communications.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 3, 2026 19:27

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability directly impacts Saudi organizations in critical sectors: (1) Banking & Financial Services (SAMA-regulated institutions, payment processors) - TLS servers handling authentication and transactions are vulnerable to DoS attacks; (2) Government & NCA entities - critical infrastructure and e-government services relying on Node.js TLS implementations; (3) Telecommunications (STC, Mobily, Zain) - VoIP and messaging services using TLS; (4) Energy Sector (ARAMCO, SEC) - SCADA and operational technology systems increasingly using Node.js; (5) Healthcare providers - patient data transmission over TLS-secured APIs. The ability to remotely trigger resource exhaustion without authentication makes this particularly dangerous for publicly-facing services.

🏢 Affected Saudi Sectors

Banking & Financial Services Government & Public Administration Telecommunications Energy & Utilities Healthcare E-Commerce Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1499 - Endpoint Denial of Service (resource exhaustion via TLS handshake) T1499.004 - Application Exhaustion Flood (TLS callback exploitation) T1021.001 - Remote Services: SSL/TLS (TLS protocol abuse) T1046 - Network Service Discovery (TLS service enumeration) T1657 - Financial Theft (potential impact on banking systems)

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all Node.js TLS servers in your infrastructure using PSK (Pre-Shared Key) or ALPN (Application Layer Protocol Negotiation) callbacks

2. Implement input validation and error handling wrappers around pskCallback and ALPNCallback functions to catch synchronous exceptions

3. Deploy rate limiting on TLS handshake attempts per source IP to mitigate repeated exploitation

4. Enable comprehensive TLS error logging to detect exploitation attempts



PATCHING GUIDANCE:

1. Apply the latest Node.js patch version immediately (check nodejs.org for version-specific patches)

2. Test patches in non-production environments first, particularly for critical financial and government systems

3. Implement staged rollout for production systems to minimize service disruption



COMPENSATING CONTROLS (if patching delayed):

1. Wrap all pskCallback and ALPNCallback implementations in try-catch blocks

2. Implement connection limits and timeouts to prevent resource exhaustion

3. Deploy WAF/DDoS mitigation at network edge to filter malicious TLS handshakes

4. Monitor file descriptor usage and implement automatic process restart on threshold breach



DETECTION RULES:

1. Alert on repeated TLS handshake failures from single source IP

2. Monitor Node.js process crashes correlated with TLS connection attempts

3. Track file descriptor leaks and memory growth in TLS server processes

4. Log all exceptions in TLS callback functions for forensic analysis

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع خوادم Node.js TLS في البنية التحتية الخاصة بك التي تستخدم callbacks PSK أو ALPN

2. قم بتنفيذ التحقق من صحة المدخلات ومعالجات الأخطاء حول وظائف pskCallback و ALPNCallback لالتقاط الاستثناءات المتزامنة

3. قم بنشر تحديد معدل محاولات مصافحة TLS لكل عنوان IP مصدر لتخفيف الاستغلال المتكرر

4. قم بتفعيل تسجيل أخطاء TLS الشامل للكشف عن محاولات الاستغلال

إرشادات التصحيح:

1. طبق أحدث إصدار تصحيح Node.js على الفور (تحقق من nodejs.org للتصحيحات الخاصة بالإصدار)

2. اختبر التصحيحات في بيئات غير الإنتاج أولاً، خاصة للأنظمة المالية والحكومية الحرجة

3. قم بتنفيذ طرح مرحلي لأنظمة الإنتاج لتقليل انقطاع الخدمة

الضوابط البديلة (إذا تأخر التصحيح):

1. قم بلف جميع تطبيقات pskCallback و ALPNCallback في كتل try-catch

2. قم بتنفيذ حدود الاتصال والمهل الزمنية لمنع استنزاف الموارد

3. قم بنشر WAF/DDoS mitigation على حافة الشبكة لتصفية مصافحات TLS الضارة

4. راقب استخدام واصفات الملفات وقم بتنفيذ إعادة تشغيل العملية التلقائية عند تجاوز الحد الأدنى

قواعد الكشف:

1. تنبيه عند فشل مصافحة TLS المتكررة من عنوان IP واحد

2. مراقبة أعطال عملية Node.js المرتبطة بمحاولات اتصال TLS

3. تتبع تسرب واصفات الملفات والنمو في الذاكرة في عمليات خادم TLS

4. تسجيل جميع الاستثناءات في وظائف callback TLS للتحليل الجنائي

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1 - Information Security Policies (incident response for DoS) ECC 2024 A.12.6 - Technical Vulnerability Management (patch management) ECC 2024 A.13.1 - Network Security (TLS/encryption controls) ECC 2024 A.16.1 - Incident Management (detection and response)

🔵 SAMA CSF

SAMA CSF ID.GV-1 - Organizational Context (critical infrastructure protection) SAMA CSF PR.DS-6 - Data Security (encryption and TLS) SAMA CSF DE.CM-1 - Detection and Analysis (monitoring for anomalies) SAMA CSF RS.MI-1 - Response and Recovery (incident mitigation)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.1 - Policies for information security ISO 27001:2022 A.8.1 - Asset management ISO 27001:2022 A.12.2 - Maintenance of information and communication technology assets ISO 27001:2022 A.12.6 - Management of technical vulnerabilities ISO 27001:2022 A.16.1 - Planning and preparing incident management

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 11.2 - Vulnerability scanning PCI DSS 12.10 - Incident response procedures

🔗 References & Sources 1

🔗

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

support@hackerone.com

Release Notes Vendor Advisory

📦 Affected Products / CPE 4 entries

nodejs:node.js

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityN — None / Network

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-400

EPSS0.03%

Exploit No

Patch ✓ Yes

Published 2026-01-20

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-400

🏢 Vendor Advisories

🔗 https://nodejs.org/en/blog/vulnerability/december-20...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-21637

💬 Comments

Introduce Yourself

Sign In Required