CVE-2026-33871
Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass
In short
A Netty HTTP/2 server can be knocked offline by sending many small control frames that bypass existing protections. An attacker uses minimal bandwidth to make the server use excessive CPU and stop responding.
Technical detail
Remote attacker exploits missing rate limiting on HTTP/2 CONTINUATION frames in Netty versions prior to 4.1.132.Final and 4.2.10.Final. By crafting zero-byte frames, the attacker circumvents size-based mitigations (CWE-770 Allocation of Resources Without Limits), causing unbounded CPU consumption and denial of service to legitimate users.
Summary generated and translated by AI from the official description.
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Affected products
netty · nettyWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →