Description
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap<String, DateTimeFormatter> whose key is derived from the @Format annotation pattern concatenated with the locale from the HTTP Accept-Language header. Because Locale.forLanguageTag() accepts arbitrary BCP 47 private-use extensions (en-x-a001, en-x-a002, …), an unauthenticated attacker can generate an unlimited number of unique cache keys by sending requests with novel locale tags, growing the cache until heap memory is exhausted and the JVM crashes. This vulnerability is fixed in 4.10.22.
Published: 2026-05-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a memory exhaustion flaw that allows an attacker to fill an unbounded cache within the Micronaut Core framework. The cache, a ConcurrentHashMap that stores DateTimeFormatter instances keyed by a format pattern and a locale derived from the HTTP Accept‑Language header, can grow without bound. By sending requests with unique, private‑use language tags, an unauthenticated attacker can create arbitrary cache keys until the JVM heap is exhausted, resulting in an out‑of‑memory error and a crash of the application. The impact is a denial of service that can render the affected service unavailable to legitimate users.

Affected Systems

Micronaut Framework (Micronaut Core component) is affected. Versions from 4.3.0 up to and including 4.10.21 contain the unbounded cache. Updating to version 4.10.22 or later resolves the issue. No other vendor or product versions are known to be impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is not available, so the historical likelihood of exploitation is unknown, but the vulnerability is publicly known and can be triggered via a simple HTTP header. The flaw is not listed in the CISA KEV catalog. Attackers can exploit it remotely and unauthenticated by sending crafted Accept‑Language headers with private‑use extensions, so the attack vector is network‑based and requires no special privileges.

Generated by OpenCVE AI on May 12, 2026 at 23:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Micronaut Framework to 4.10.22 or later to eliminate the unbounded cache flaw.
  • If an immediate update is not possible, configure the application or a reverse proxy to strip or reject Accept‑Language headers containing private‑use extensions, limiting cache key diversity.
  • Implement application‑level rate limiting and monitoring to detect sudden spikes in JVM memory usage that may indicate a cache‑overflow DoS attack.

Generated by OpenCVE AI on May 12, 2026 at 23:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8hjv-92q9-g4xj Micronaut has unbounded `formattersCache` in `TimeConverterRegistrar` that Allows Memory Exhaustion via `Accept-Language` Header
History

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Micronaut-projects
Micronaut-projects micronaut-core
Vendors & Products Micronaut-projects
Micronaut-projects micronaut-core

Tue, 12 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap<String, DateTimeFormatter> whose key is derived from the @Format annotation pattern concatenated with the locale from the HTTP Accept-Language header. Because Locale.forLanguageTag() accepts arbitrary BCP 47 private-use extensions (en-x-a001, en-x-a002, …), an unauthenticated attacker can generate an unlimited number of unique cache keys by sending requests with novel locale tags, growing the cache until heap memory is exhausted and the JVM crashes. This vulnerability is fixed in 4.10.22.
Title Micronaut Framework: Unbounded formattersCache in TimeConverterRegistrar Allows Memory Exhaustion via Accept-Language Header
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Micronaut-projects Micronaut-core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T15:37:00.461Z

Reserved: 2026-05-05T15:42:40.520Z

Link: CVE-2026-44241

cve-icon Vulnrichment

Updated: 2026-05-13T15:30:03.723Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T22:16:35.473

Modified: 2026-05-13T16:16:54.930

Link: CVE-2026-44241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:30:28Z

Weaknesses