Netty, a widely used networking framework, has a flaw in its handling of the HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE parameter. When a client supplies a value that triggers this setting, the framework processes the request, forwards it to the origin, attempts to generate a response, and then fails while writing the response headers, raising an exception. This sequence closely resembles an HTTP/2 reset attack but with a distinct on‑wire signature. The primary consequence is service disruption as the exception can degrade or halt the transport layer, effectively denying functionality to legitimate users.

The vulnerability affects applications built on the Netty framework, specifically any deployment using netty:netty prior to version 4.1.135.Final or 4.2.15.Final. Systems running older Netty releases that process inbound HTTP/2 traffic are susceptible.

The CVSS score of 6.9 indicates a moderate security impact. The EPSS score of less than 1 % suggests a very low probability of exploitation in the wild at the time of analysis, and this issue is not listed in CISA’s KEV catalog. Attackers would likely need to initiate a network connection that uses HTTP/2 and send a SETTINGS_MAX_HEADER_LIST_SIZE frame. The attack vector is therefore network‑based; it does not require local privileges or user interaction. Because the fault manifests during response header serialization, a successful exploit can trigger repeated exceptions, potentially exhausting system resources or causing a crash, which aligns with CWE‑770.