Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty, a Java network application framework, contained a flaw in its HTTP/2 implementation where the advertised MAX_CONCURRENT_STREAMS setting was not enforced. Because the default initialized stream limits to Integer.MAX_VALUE and no SETTINGS_MAX_CONCURRENT_STREAMS was sent, a client could open an unrestricted number of streams. Each stream consumes objects and internal state, so a single TCP connection could create hundreds of thousands of long‑lived stream objects, exhausting server memory and CPU resources. The unlimited stream count also enables amplification attacks in a style similar to CVE-2023-44487 by multiplying backend work. This uncontrolled resource consumption aligns with CWE‑400.

Affected Systems

Netty versions prior to 4.1.135.Final and 4.2.15.Final are vulnerable. The issue affects the Netty network application framework, which is commonly used in Java‑based protocol servers and clients to implement HTTP/2 functionality. The patch is included in Netty 4.1.135.Final and Netty 4.2.15.Final releases and later.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely targeted by malicious actors. An attacker would need to establish an HTTP/2 connection to a Netty‑based server and open many streams in order to trigger resource exhaustion. The lack of a hard limit makes this straightforward from the client side, but the exploit requires the presence of a vulnerable Netty server.

Generated by OpenCVE AI on June 12, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.1.135.Final or 4.2.15.Final or newer.
  • If upgrade is not immediately possible, configure the server to set an explicit maximum concurrent streams by calling initialSettings().maxConcurrentStreams(<desired limit>).
  • Monitor the server for excessive stream creation and consider limiting client connections at the network or application layer to prevent resource exhaustion.

Generated by OpenCVE AI on June 12, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5x3r-wrvg-rp6q Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
History

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T14:59:15.823Z

Reserved: 2026-05-18T22:54:18.272Z

Link: CVE-2026-47244

cve-icon Vulnrichment

Updated: 2026-06-12T14:59:07.858Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T15:16:29.217

Modified: 2026-06-12T15:55:06.377

Link: CVE-2026-47244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:30:31Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption