CVE-2026-44241

Name of the Vulnerable Software and Affected Versions Micronaut Framework versions 4.3.0 through 4.10.21

Description An unauthenticated attacker can cause a denial of service by exhausting heap memory, leading to a JVM crash. The issue exists in the TimeConverterRegistrar component, which uses an unbounded ConcurrentHashMap to cache DateTimeFormatter instances. The cache key is generated by combining the @Format annotation pattern with the locale extracted from the Accept-Language HTTP header.

Because the Locale.forLanguageTag() function accepts arbitrary BCP 47 private-use extensions, an attacker can send numerous requests with unique locale tags to create an unlimited number of cache keys. This causes the cache to grow linearly until the system runs out of memory.

This issue affects any route endpoint that utilizes a temporal parameter annotated with @Format.

Recommendations Update to version 4.10.22. As a temporary workaround, avoid using the @Format annotation on temporal parameters in API endpoints to prevent the TimeConverterRegistrar from caching locale-based formatters.