Linux host-73 6.12.74-6.12-alt1 #1 SMP PREEMPT_DYNAMIC Fri Mar 6 13:49:54 UTC 2026 x86_64 GNU/Linux
$ cd node
$ export CC=clang-19 CXX=clang++-19
$ export CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address"
$ ./configure --prefix=$(pwd)/buildroot --enable-asan
$ make install
./buildroot/bin/node test.js
netcat localhost 8000 < crash.txt
There should be no use-after-free error.
=================================================================
==988776==ERROR: AddressSanitizer: heap-use-after-free on address 0x50d0000027c4 at pc 0x5623311b4bc7 bp 0x7ffd4e856af0 sp 0x7ffd4e856ae8
READ of size 1 at 0x50d0000027c4 thread T0
#0 0x5623311b4bc6 in nghttp2_session_mem_recv2 (/home/user/node-upstream/buildroot/bin/node+0x4bb4bc6) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#1 0x56232e21f5bb in node::http2::Http2Session::ConsumeHTTP2Data() (/home/user/node-upstream/buildroot/bin/node+0x1c1f5bb) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#2 0x56232e22952d in node::http2::Http2Session::OnStreamRead(long, uv_buf_t const&) (/home/user/node-upstream/buildroot/bin/node+0x1c2952d) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#3 0x56232e529787 in node::LibuvStreamWrap::OnUvRead(long, uv_buf_t const*) (/home/user/node-upstream/buildroot/bin/node+0x1f29787) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#4 0x56232e52b15b in node::LibuvStreamWrap::ReadStart()::$_1::__invoke(uv_stream_s*, long, uv_buf_t const*) stream_wrap.cc
#5 0x5623304b42b5 in uv__read /home/user/node-upstream/out/../deps/uv/src/unix/stream.c:1148:7
#6 0x5623304b42b5 in uv__stream_io /home/user/node-upstream/out/../deps/uv/src/unix/stream.c:1208:5
#7 0x5623304ca285 in uv__io_poll /home/user/node-upstream/out/../deps/uv/src/unix/linux.c:1565:11
#8 0x562330491d74 in uv_run /home/user/node-upstream/out/../deps/uv/src/unix/core.c:460:5
#9 0x56232de95cc5 in node::SpinEventLoopInternal(node::Environment*) (/home/user/node-upstream/buildroot/bin/node+0x1895cc5) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#10 0x56232e262173 in node::NodeMainInstance::Run() (/home/user/node-upstream/buildroot/bin/node+0x1c62173) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#11 0x56232e0b0d59 in node::Start(int, char**) (/home/user/node-upstream/buildroot/bin/node+0x1ab0d59) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#12 0x7fd87303fc8b (/lib64/libc.so.6+0x27c8b) (BuildId: 22555ae827f9b29f1149acf2fe0887aa8760c393)
#13 0x7fd87303fd44 in __libc_start_main (/lib64/libc.so.6+0x27d44) (BuildId: 22555ae827f9b29f1149acf2fe0887aa8760c393)
#14 0x56232dd8f530 in _start (/home/user/node-upstream/buildroot/bin/node+0x178f530) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
0x50d0000027c4 is located 132 bytes inside of 144-byte region [0x50d000002740,0x50d0000027d0)
freed by thread T0 here:
#0 0x56232de2e536 in free /usr/src/RPM/BUILD/llvm-project-19/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x56232e254245 in node::mem::NgLibMemoryManager<node::http2::Http2Session, nghttp2_mem>::FreeImpl(void*, void*) (/home/user/node-upstream/buildroot/bin/node+0x1c54245) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#2 0x56233119e3ad in nghttp2_session_close_stream (/home/user/node-upstream/buildroot/bin/node+0x4b9e3ad) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#3 0x5623311aac9d in session_close_stream_on_goaway nghttp2_session.c
#4 0x5623311a3281 in session_after_frame_sent1 nghttp2_session.c
#5 0x56233119ed9a in nghttp2_session_mem_send (/home/user/node-upstream/buildroot/bin/node+0x4b9ed9a) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#6 0x56232e21d978 in node::http2::Http2Session::SendPendingData() (/home/user/node-upstream/buildroot/bin/node+0x1c1d978) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#7 0x56232e220b35 in node::http2::Http2Stream::SubmitRstStream(unsigned int) (/home/user/node-upstream/buildroot/bin/node+0x1c20b35) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#8 0x56232e2354b2 in node::http2::Http2Stream::RstStream(v8::FunctionCallbackInfo<v8::Value> const&) (/home/user/node-upstream/buildroot/bin/node+0x1c354b2) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#9 0x5622d048f5e1 in Builtins_CallApiCallbackGeneric embedded.o
#10 0x5622d048d8dd in Builtins_InterpreterEntryTrampoline embedded.o
#11 0x5622d048b4db in Builtins_JSEntryTrampoline embedded.o
#12 0x5622d048b202 in Builtins_JSEntry embedded.o
#13 0x56232eb6aec5 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) execution.cc
#14 0x56232eb69468 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) (/home/user/node-upstream/buildroot/bin/node+0x2569468) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#15 0x56232e8206cd in v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) (/home/user/node-upstream/buildroot/bin/node+0x22206cd) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#16 0x56232de946bc in node::InternalMakeCallback(node::Environment*, v8::Local<v8::Object>, v8::Local<v8::Object>, v8::Local<v8::Function>, int, v8::Local<v8::Value>*, node::async_context, v8::Local<v8::Value>) (/home/user/node-upstream/buildroot/bin/node+0x18946bc) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#17 0x56232dec6052 in node::AsyncWrap::MakeCallback(v8::Local<v8::Function>, int, v8::Local<v8::Value>*) (/home/user/node-upstream/buildroot/bin/node+0x18c6052) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#18 0x56232e2221a5 in node::http2::Http2Session::HandleHeadersFrame(nghttp2_frame const*) (/home/user/node-upstream/buildroot/bin/node+0x1c221a5) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#19 0x56232e213475 in node::http2::Http2Session::OnFrameReceive(nghttp2_session*, nghttp2_frame const*, void*) (/home/user/node-upstream/buildroot/bin/node+0x1c13475) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#20 0x5623311b25b6 in nghttp2_session_mem_recv2 (/home/user/node-upstream/buildroot/bin/node+0x4bb25b6) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#21 0x56232e21f5bb in node::http2::Http2Session::ConsumeHTTP2Data() (/home/user/node-upstream/buildroot/bin/node+0x1c1f5bb) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#22 0x56232e22952d in node::http2::Http2Session::OnStreamRead(long, uv_buf_t const&) (/home/user/node-upstream/buildroot/bin/node+0x1c2952d) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#23 0x56232e529787 in node::LibuvStreamWrap::OnUvRead(long, uv_buf_t const*) (/home/user/node-upstream/buildroot/bin/node+0x1f29787) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#24 0x56232e52b15b in node::LibuvStreamWrap::ReadStart()::$_1::__invoke(uv_stream_s*, long, uv_buf_t const*) stream_wrap.cc
#25 0x5623304b42b5 in uv__read /home/user/node-upstream/out/../deps/uv/src/unix/stream.c:1148:7
#26 0x5623304b42b5 in uv__stream_io /home/user/node-upstream/out/../deps/uv/src/unix/stream.c:1208:5
#27 0x5623304ca285 in uv__io_poll /home/user/node-upstream/out/../deps/uv/src/unix/linux.c:1565:11
#28 0x562330491d74 in uv_run /home/user/node-upstream/out/../deps/uv/src/unix/core.c:460:5
#29 0x56232de95cc5 in node::SpinEventLoopInternal(node::Environment*) (/home/user/node-upstream/buildroot/bin/node+0x1895cc5) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#30 0x56232e262173 in node::NodeMainInstance::Run() (/home/user/node-upstream/buildroot/bin/node+0x1c62173) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
previously allocated by thread T0 here:
#0 0x56232de2ebbc in realloc /usr/src/RPM/BUILD/llvm-project-19/compiler-rt/lib/asan/asan_malloc_linux.cpp:82:3
#1 0x56232e2543f1 in node::mem::NgLibMemoryManager<node::http2::Http2Session, nghttp2_mem>::ReallocImpl(void*, unsigned long, void*) (/home/user/node-upstream/buildroot/bin/node+0x1c543f1) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#2 0x56233119d997 in nghttp2_session_open_stream (/home/user/node-upstream/buildroot/bin/node+0x4b9d997) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#3 0x5623311a4652 in nghttp2_session_on_request_headers_received (/home/user/node-upstream/buildroot/bin/node+0x4ba4652) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#4 0x5623311b2148 in nghttp2_session_mem_recv2 (/home/user/node-upstream/buildroot/bin/node+0x4bb2148) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#5 0x56232e21f5bb in node::http2::Http2Session::ConsumeHTTP2Data() (/home/user/node-upstream/buildroot/bin/node+0x1c1f5bb) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#6 0x56232e22952d in node::http2::Http2Session::OnStreamRead(long, uv_buf_t const&) (/home/user/node-upstream/buildroot/bin/node+0x1c2952d) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#7 0x56232e529787 in node::LibuvStreamWrap::OnUvRead(long, uv_buf_t const*) (/home/user/node-upstream/buildroot/bin/node+0x1f29787) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#8 0x56232e52b15b in node::LibuvStreamWrap::ReadStart()::$_1::__invoke(uv_stream_s*, long, uv_buf_t const*) stream_wrap.cc
#9 0x5623304b42b5 in uv__read /home/user/node-upstream/out/../deps/uv/src/unix/stream.c:1148:7
#10 0x5623304b42b5 in uv__stream_io /home/user/node-upstream/out/../deps/uv/src/unix/stream.c:1208:5
#11 0x5623304ca285 in uv__io_poll /home/user/node-upstream/out/../deps/uv/src/unix/linux.c:1565:11
#12 0x562330491d74 in uv_run /home/user/node-upstream/out/../deps/uv/src/unix/core.c:460:5
#13 0x56232de95cc5 in node::SpinEventLoopInternal(node::Environment*) (/home/user/node-upstream/buildroot/bin/node+0x1895cc5) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#14 0x56232e262173 in node::NodeMainInstance::Run() (/home/user/node-upstream/buildroot/bin/node+0x1c62173) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#15 0x56232e0b0d59 in node::Start(int, char**) (/home/user/node-upstream/buildroot/bin/node+0x1ab0d59) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba)
#16 0x7fd87303fc8b (/lib64/libc.so.6+0x27c8b) (BuildId: 22555ae827f9b29f1149acf2fe0887aa8760c393)
SUMMARY: AddressSanitizer: heap-use-after-free (/home/user/node-upstream/buildroot/bin/node+0x4bb4bc6) (BuildId: df6b9d521bc7b2f5efc4da3bfff2263a777088ba) in nghttp2_session_mem_recv2
Shadow bytes around the buggy address:
0x50d000002500: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x50d000002580: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x50d000002600: fd fd fd fd fd fa fa fa fa fa fa fa fa fa 00 00
0x50d000002680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x50d000002700: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x50d000002780: fd fd fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa
0x50d000002800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50d000002880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50d000002900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50d000002980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50d000002a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==988776==ABORTING
The crash is reproduced in versions 25.x, 24.x, 22.x, 20.x.
Version
22.23.1
Platform
Subsystem
No response
What steps will reproduce the bug?
File crash.txt
How often does it reproduce? Is there a required condition?
Always
What is the expected behavior? Why is that the expected behavior?
There should be no use-after-free error.
What do you see instead?
Additional information
The crash is reproduced in versions 25.x, 24.x, 22.x, 20.x.
I suggest patch node-fix-http2-uaf.patch
https://hackerone.com/reports/3584453