PT-2026-28108 · Netty+1 · Netty+1
Sprabhav7
·
Publicado
2026-03-25
·
Atualizado
2026-05-18
·
CVE-2026-33871
CVSS v4.0
8.7
Alta
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Netty versions prior to 4.1.132.Final and versions prior to 4.2.10.Final
Description
Netty, an asynchronous, event-driven network application framework, is susceptible to a Denial of Service (DoS) attack. A remote user can exploit this by sending a flood of
CONTINUATION frames to a Netty HTTP/2 server. The server does not limit the number of CONTINUATION frames it accepts, and existing size-based protections are bypassed when zero-byte frames are used. This allows an attacker to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. The issue resides in the DefaultHttp2FrameReader component, specifically within the verifyContinuationFrame() function, which lacks a frame count check. The HeadersBlockBuilder.addFragment() function also allows bypassing the byte limit with zero-byte frames.Recommendations
Upgrade to Netty version 4.1.132.Final or later.
Upgrade to Netty version 4.2.10.Final or later.
Exploit
Correção
DoS
Allocation of Resources Without Limits
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Confluence
Netty