CVEFinder.io

CVE-2026-44892

⚠️ high
🔍 Scan for this CVE
Summary

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading

Description

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an `OutOfMemoryError`. Version 4.2.15.Final contains a patch.

CVSS Score
7.5
High
EPSS Score
0.5
Exploit Probability
Published Date
2026-06-12
First Seen: 2026-06-13
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.0% of all 328,009 vulnerabilities in our database.

#101,817
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Jun 12, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-06-15
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE IDs (Weakness Types)
CWE-400 CWE-1188

📦 Affected Products 1

Vendor Product Status Affected Versions
netty netty Affected
> 4.2.0 < 4.2.15

🔗 References 2

https://github.com/netty/netty/releases/tag/netty-4....
Release Notes
https://github.com/netty/netty/security/advisories/G...
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-44893 ⚠️ high 7.5 0.6 Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior t... 2026-06-12
CVE-2026-44894 ⚠️ high 7.5 0.2 Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the toke... 2026-06-12
CVE-2026-45416 ⚠️ high 7.5 0.6 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Fina... 2026-06-12
CVE-2026-45536 🔶 medium 4.0 0.2 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Fina... 2026-06-12
CVE-2026-45673 🔶 medium 6.8 0.4 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Fina... 2026-06-12
CVE-2026-45674 ⚠️ high 8.7 0.2 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Fina... 2026-06-12
These CVEs affect the same products