CVE-2026-44892 - Vulnerability Details

Description

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an `OutOfMemoryError`. Version 4.2.15.Final contains a patch.

Published: 2026-06-12

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A configuration flaw in Netty’s HTTP/3 codec allows an attacker to send header data without a prescribed limit when the HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE value is not explicitly set by a peer. The resulting unbounded allocation leads to OutOfMemory errors that halt the application, producing a denial of service. The weakness exploits a lack of input validation on header size and is categorized under CWE‑1188 and CWE‑400.

Affected Systems

The issue affects all Netty deployments using the Http3ConnectionHandler component prior to version 4.2.15.Final. The vendor, Netty, released a patched build in the 4.2.15.Final release that implements a default maximum header size. Systems remaining on older releases or those that still rely on the default configuration are vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates moderate to high severity. While no EPSS score is reported, the possibility of exploitation remains, particularly against exposed HTTP/3 services. The vulnerability is not listed in the CISA KEV catalog. An attacker can remotely trigger the vulnerability by issuing a crafted HTTP/3 request containing a very large header section, likely from the network layer. No privileged access or local code execution is required, so the risk applies to any reachable HTTP/3 endpoint.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

netty

affected

Version	Status	Constraints
`>= 4.2.0.Final, < 4.2.15.Final`	affected	—

No data.

Vendor Product Confidence Versions

Netty

100%

Version	Status	Scheme	Platform
`[4.2.0.Final,4.2.15.Final)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Netty to version 4.2.15.Final or later to apply the fixed default maximum header size.
If upgrading is not immediately possible, configure a strict maximum header size by setting HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE to a reasonable value in the Http3ConnectionHandler.
Enforce network-level filtering or rate limiting to prevent oversized HTTP/3 header transmissions from reaching the application.

Generated by OpenCVE AI on June 12, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-c2rx-5r8w-8xr2	Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/netty/netty/releases/tag/netty-4.2.15.Final
https://github.com/netty/netty/security/advisories/GHSA-c2rx-5r8w-8xr2

History

Fri, 12 Jun 2026 06:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Netty Netty netty
Vendors & Products		Netty Netty netty

Fri, 12 Jun 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an `OutOfMemoryError`. Version 4.2.15.Final contains a patch.
Title		Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size
Weaknesses		CWE-1188 CWE-400
References		https://github.com/netty/netty/releases/tag/netty-4.2.15.Final https://github.com/netty/netty/security/advisories/GHSA-c2rx-5r8w-8xr2
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Netty Netty

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-12T05:04:58.033Z

Updated: 2026-06-12T05:04:58.033Z

Reserved: 2026-05-07T21:50:33.545Z

Link: CVE-2026-44892

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-12T05:16:32.007

Modified: 2026-06-12T05:16:32.007

Link: CVE-2026-44892

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T06:30:18Z

Weaknesses

CWE-1188
Initialization of a Resource with an Insecure Default
CWE-400
Uncontrolled Resource Consumption

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object