PT-2026-28108 · Netty+1 · Netty+1

Sprabhav7

·

Published

2026-03-25

·

Updated

2026-05-18

·

CVE-2026-33871

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.132.Final and versions prior to 4.2.10.Final
Description Netty, an asynchronous, event-driven network application framework, is susceptible to a Denial of Service (DoS) attack. A remote user can exploit this by sending a flood of CONTINUATION frames to a Netty HTTP/2 server. The server does not limit the number of CONTINUATION frames it accepts, and existing size-based protections are bypassed when zero-byte frames are used. This allows an attacker to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. The issue resides in the DefaultHttp2FrameReader component, specifically within the verifyContinuationFrame() function, which lacks a frame count check. The HeadersBlockBuilder.addFragment() function also allows bypassing the byte limit with zero-byte frames.
Recommendations Upgrade to Netty version 4.1.132.Final or later. Upgrade to Netty version 4.2.10.Final or later.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Weakness Enumeration

CWE-770

Related Identifiers

CLEANSTART-2026-AV84730
CLEANSTART-2026-CF62516
CLEANSTART-2026-DD05788
CLEANSTART-2026-DY69070
CLEANSTART-2026-EZ90321
CLEANSTART-2026-GN46454
CLEANSTART-2026-IS05941
CLEANSTART-2026-JU62349
CLEANSTART-2026-KB76878
CLEANSTART-2026-LE11246
CLEANSTART-2026-QI14017
CLEANSTART-2026-RN56220
CLEANSTART-2026-SQ91016
CLEANSTART-2026-SR31778
CLEANSTART-2026-SV95049
CLEANSTART-2026-TK07726
CLEANSTART-2026-VH41554
CLEANSTART-2026-VJ37814
CLEANSTART-2026-VN28553
CLEANSTART-2026-WG59699
CLEANSTART-2026-WK99982
CVE-2026-33871
GHSA-W9FJ-CFPG-GRVV
OPENSUSE-SU-2026:10463-1
SUSE-SU-2026:1353-1

Affected Products

Confluence
Netty