CVE-2026-44892

Summary

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the Http3ConnectionHandler in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an OutOfMemoryError. Version 4.2.15.Final contains a patch.

Affected Software

VendorProductVersion RangeStatus
nettynetty>= 4.2.0.Final, < 4.2.15.Finalaffected

Weaknesses

  • CWE-400: CWE-400: Uncontrolled Resource Consumption
  • CWE-1188: CWE-1188: Insecure Default Initialization of Resource

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References