CVE-2026-44892

Name of the Vulnerable Software and Affected Versions Netty (affected versions not specified)

Description The default configuration of the Http3ConnectionHandler in the Netty HTTP/3 codec does not enforce a maximum header size limit. When a peer does not specify HTTP3 SETTINGS MAX FIELD SECTION SIZE, the implementation uses an unbounded limit. This allows a malicious actor to send an excessive number of headers, leading to memory exhaustion and a Denial of Service via an OutOfMemoryError. This occurs because the default behavior follows RFC 9114, which specifies an unlimited default, unlike Netty's HTTP/1.1 and HTTP/2 implementations that enforce secure limits. The unbounded limit is passed into Http3FrameCodec#newFactory and stored as maxHeaderListSize within Http3FrameCodec.

Recommendations Configure the maximum header field section size via Http3Settings to replace the insecure default unbounded limit.