Description
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Published: 2026-03-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A remote attacker can cause a denial of service on a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server lacks a limit on the number of these frames and a bypass around size restrictions allows zero‑byte frames to be used, resulting in excessive CPU consumption while using minimal bandwidth.

Affected Systems

The vulnerability affects Netty, distributed under the netty:netty package. Versions prior to 4.1.132.Final in the 4.1 series and prior to 4.2.10.Final in the 4.2 series are susceptible. Updating to these versions or later removes the flaw.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity. No EPSS score is listed and the vulnerability is not a known exploited vulnerability in CISA's KEV catalog. Because the attack can be launched remotely over HTTP/2 by simply sending too many CONTINUATION frames, the risk is high and exploitation is straightforward if the server remains unpatched.

Generated by OpenCVE AI on March 27, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to 4.1.132.Final or newer (or 4.2.10.Final or newer if using the 4.2 branch).
  • After upgrading, monitor server CPU usage and performance for any abnormal spikes.

Generated by OpenCVE AI on March 27, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w9fj-cfpg-grvv Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass
History

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Title Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:55:23.135Z

Reserved: 2026-03-24T15:10:05.679Z

Link: CVE-2026-33871

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T20:16:34.833

Modified: 2026-03-30T20:10:17.620

Link: CVE-2026-33871

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:00:32Z

Weaknesses