CVE-2026-47244

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.135.Final Netty versions prior to 4.2.15.Final

Description In the network application framework, DefaultHttp2Connection.DefaultEndpoint initializes maxActiveStreams and maxStreams to Integer.MAX VALUE, while Http2Settings does not insert SETTINGS MAX CONCURRENT STREAMS by default. If the application does not explicitly call initialSettings().maxConcurrentStreams(n), the HTTP/2 server advertises and enforces no limit on concurrent streams. This allows a single TCP connection to create hundreds of thousands of long-lived stream objects, as each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state, and an IntObjectHashMap entry. This condition also enables Rapid-Reset amplification, where the lack of a low concurrent cap increases the workload on the backend.

Recommendations Update to version 4.1.135.Final. Update to version 4.2.15.Final. As a temporary mitigation, explicitly call initialSettings().maxConcurrentStreams(n) to define a limit for concurrent streams.