CVE-2026-21637: HackerOne: CVE-2026-21637 TLS PSK/ALPN Callback Exceptions Bypass Error Handlers

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

Category

Denial of Service

Exploit Status

Not Exploited

Patch Tuesday

2026-Apr

Released

2026-04-14

EPSS Score

0.04% (percentile: 13.4%)

Description

CVE-2026-21637 is regarding a vulnerability in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. HackerOne created this CVE on their behalf. The documented Visual Studio updates incorporate updates in Node.js which address this vulnerability. Please see CVE-2026-21637 for more information.

Affected Products (3)

Developer Tools

• Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
• Microsoft Visual Studio 2022 version 17.12
• Microsoft Visual Studio 2022 version 17.14

Security Updates (3)

• Release Notes
• Release Notes
• Release Notes

Revision History

• 2026-04-14: Information published.