Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty, a Java network application framework, contained a flaw in its HTTP/2 implementation where the advertised MAX_CONCURRENT_STREAMS setting was not enforced. Because the default initialized stream limits to Integer.MAX_VALUE and no SETTINGS_MAX_CONCURRENT_STREAMS was sent, a client could open an unrestricted number of streams. Each stream consumes objects and internal state, so a single TCP connection could create hundreds of thousands of long‑lived stream objects, exhausting server memory and CPU resources. The unlimited stream count also enables amplification attacks in a style similar to CVE-2023-44487 by multiplying backend work. This uncontrolled resource consumption aligns with CWE‑400 and CWE‑770.

Affected Systems

Netty versions prior to 4.1.135.Final and 4.2.15.Final are vulnerable. The issue affects the Netty network application framework, which is commonly used in Java‑based protocol servers and clients to implement HTTP/2 functionality. The patch is included in Netty 4.1.135.Final and Netty 4.2.15.Final releases and later.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely targeted by malicious actors. An attacker would need to establish an HTTP/2 connection to a Netty‑based server and open many streams in order to trigger resource exhaustion. The lack of a hard limit makes this straightforward from the client side, but the exploit requires the presence of a vulnerable Netty server.

Generated by OpenCVE AI on June 15, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.1.135.Final or 4.2.15.Final or newer.
  • If upgrade is not immediately possible, configure the server to set an explicit maximum concurrent streams by calling initialSettings().maxConcurrentStreams(<desired limit>).
  • Monitor the server for excessive stream creation and consider limiting client connections at the network or application layer to prevent resource exhaustion.

Generated by OpenCVE AI on June 15, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5x3r-wrvg-rp6q Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
History

Mon, 15 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 15 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T14:59:15.823Z

Reserved: 2026-05-18T22:54:18.272Z

Link: CVE-2026-47244

cve-icon Vulnrichment

Updated: 2026-06-12T14:59:07.858Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T15:16:29.217

Modified: 2026-06-15T02:11:37.623

Link: CVE-2026-47244

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-12T14:23:50Z

Links: CVE-2026-47244 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T14:00:12Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling