Developers of the server-side JavaScript platform Node.js have published patch releases 12.22.4, 14.17.4, and 16.6.0 that partially fix a vulnerability (CVE-2021-22930) in the http2 module (HTTP/2.0 client) that could cause a process crash or potentially organize the execution of your code in the system when accessing a host controlled by an attacker.
The problem is caused by accessing an already freed memory area when closing a connection after receiving RST_STREAM (stream reset) frames for streams that are performing write-blocking intensive reads. If a RST_STREAM frame is received without specifying an error code, the http2 module additionally calls the procedure for clearing already received data, from which the close handler is called again for the already closed stream, which leads to a double release of data structures.
The fix discussion notes that the issue is not fully fixed and continues to show up in published updates under slightly modified conditions. The analysis showed that the fix closes only one of the special cases - when the stream is in read mode, but does not take into account other stream states (reading and suspending, suspending and some types of writing).
Source: opennet.ru