Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty, a widely used networking framework, has a flaw in its handling of the HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE parameter. When a client supplies a value that triggers this setting, the framework processes the request, forwards it to the origin, attempts to generate a response, and then fails while writing the response headers, raising an exception. This sequence closely resembles an HTTP/2 reset attack but with a distinct on‑wire signature. The primary consequence is service disruption as the exception can degrade or halt the transport layer, effectively denying functionality to legitimate users.

Affected Systems

The vulnerability affects applications built on the Netty framework, specifically any deployment using netty:netty prior to version 4.1.135.Final or 4.2.15.Final. Systems running older Netty releases that process inbound HTTP/2 traffic are susceptible.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate security impact. The EPSS score of less than 1 % suggests a very low probability of exploitation in the wild at the time of analysis, and this issue is not listed in CISA’s KEV catalog. Attackers would likely need to initiate a network connection that uses HTTP/2 and send a SETTINGS_MAX_HEADER_LIST_SIZE frame. The attack vector is therefore network‑based; it does not require local privileges or user interaction. Because the fault manifests during response header serialization, a successful exploit can trigger repeated exceptions, potentially exhausting system resources or causing a crash, which aligns with CWE‑770.

Generated by OpenCVE AI on June 12, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netty to version 4.1.135.Final or 4.2.15.Final, depending on the branch in use.
  • Apply a firewall or network rate‑limiting rule that caps the number of HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE frames received per second from each client.
  • Monitor Netty logs for exception spikes and temporarily disable offending connections if a surge is detected.

Generated by OpenCVE AI on June 12, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-563q-j3cm-6jxm Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature
History

Mon, 15 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 15 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


Sat, 13 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Netty
Netty netty
Vendors & Products Netty
Netty netty

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Title Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-13T03:21:17.132Z

Reserved: 2026-06-04T21:34:34.426Z

Link: CVE-2026-50560

cve-icon Vulnrichment

Updated: 2026-06-13T03:21:11.541Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T16:16:32.847

Modified: 2026-06-15T02:30:57.210

Link: CVE-2026-50560

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-12T14:59:59Z

Links: CVE-2026-50560 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T17:15:08Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling