Skip to main content

Java CVE-2026-44241

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-06 https://github.com/micronaut-projects/micronaut-core GHSA-8hjv-92q9-g4xj
7.5
CVSS 3.1 · Vendor: https://github.com/micronaut-projects/micronaut-core
Share

Severity by source

Vendor (https://github.com/micronaut-projects/micronaut-core) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (https://github.com/micronaut-projects/micronaut-core) · only source for this CVE.

CVSS VectorVendor: https://github.com/micronaut-projects/micronaut-core

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 06, 2026 - 20:31 vuln.today
Analysis Generated
May 06, 2026 - 20:31 vuln.today
CVE Published
May 06, 2026 - 20:00 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 56 maven packages depend on io.micronaut:micronaut-context (13 direct, 43 indirect)

Ecosystem-wide dependent count for version 4.3.0.

DescriptionCVE.org

Summary

TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap<String, DateTimeFormatter> whose key is derived from the @Format annotation pattern concatenated with the locale from the HTTP Accept-Language header. Because Locale.forLanguageTag() accepts arbitrary BCP 47 private-use extensions (en-x-a001, en-x-a002, …), an unauthenticated attacker can generate an unlimited number of unique cache keys by sending requests with novel locale tags, growing the cache until heap memory is exhausted and the JVM crashes. This is structurally identical to the recently patched GHSA-2hcp-gjrf-7fhc (DefaultHtmlErrorResponseBodyProvider), but TimeConverterRegistrar.formattersCache was not covered by that fix.

Details

The vulnerable cache is declared in context/src/main/java/io/micronaut/runtime/converters/time/TimeConverterRegistrar.java at line 123:

java
// TimeConverterRegistrar.java:123
private final Map<String, DateTimeFormatter> formattersCache = new ConcurrentHashMap<>();

The getFormatter method at line 434 inserts into this map with no eviction or size limit:

java
// TimeConverterRegistrar.java:434-443
private DateTimeFormatter getFormatter(String pattern, ConversionContext context) {
    var key = pattern + context.getLocale();        // locale from Accept-Language header
    var cachedFormatter = formattersCache.get(key);
    if (cachedFormatter != null) {
        return cachedFormatter;
    }
    var formatter = DateTimeFormatter.ofPattern(pattern, context.getLocale());
    formattersCache.put(key, formatter);            // NO SIZE CHECK - unbounded growth
    return formatter;
}

The attacker-controlled locale flows into the cache key through this call chain:

  1. HTTP header parsed - HttpHeaders.findAcceptLanguage() at http/src/main/java/io/micronaut/http/HttpHeaders.java:766-771 calls Locale.forLanguageTag(part) directly on the raw Accept-Language value:
java
// HttpHeaders.java:766-771
default Optional<Locale> findAcceptLanguage() {
    return findFirst(HttpHeaders.ACCEPT_LANGUAGE)
        .map(text -> {
            String part = HttpHeadersUtil.splitAcceptHeader(text);
            return part == null ? Locale.getDefault() : Locale.forLanguageTag(part);
        });
}
  1. Locale planted in ConversionContext - AbstractRouteMatch.newContext() at router/src/main/java/io/micronaut/web/router/AbstractRouteMatch.java:373-378 passes the request locale into the conversion context for every route argument binding:
java
// AbstractRouteMatch.java:373-378
private <E> ArgumentConversionContext<E> newContext(Argument<E> argument, HttpRequest<?> request) {
    return ConversionContext.of(
        argument,
        request.getLocale().orElse(null),   // ← attacker-controlled via Accept-Language
        request.getCharacterEncoding()
    );
}
  1. Unbounded cache insert - When any temporal argument annotated with @Format is bound, TimeConverterRegistrar.getFormatter(pattern, context) is called and inserts a new DateTimeFormatter for each unique pattern + locale key.

This path is triggered for any route endpoint with a @Format-annotated temporal parameter. This is an officially documented and commonly used Micronaut pattern, demonstrated in the framework's own test suite:

java
// test-suite/.../BindingController.java:105 (official Micronaut example)
@Get("/dateFormat")
public String dateFormat(@Format("dd/MM/yyyy hh:mm:ss a z") @Header ZonedDateTime date) {
    return date.toString();
}

TimeConverterRegistrar is an @Internal core bean registered unconditionally in every Micronaut application - it is not optional or user-configured. By contrast, the DefaultHtmlErrorResponseBodyProvider cache patched in GHSA-2hcp-gjrf-7fhc now uses a ConcurrentLinkedHashMap bounded at 100 entries; TimeConverterRegistrar.formattersCache remains an unbounded plain ConcurrentHashMap.

PoC

Against any Micronaut application exposing an endpoint with a @Format-annotated temporal parameter:

bash
# Flood the formattersCache with unique locale-derived keys
for i in $(seq 1 200000); do
  curl -s -o /dev/null \
    -H "Accept-Language: en-x-$(printf '%06d' $i)" \
    -H "date: 01/01/2024 12:00:00 AM UTC" \
    "http://localhost:8080/dateFormat" &
# Throttle to avoid socket exhaustion
  [ $((i % 500)) -eq 0 ] && wait
done
wait
# Server will throw OutOfMemoryError after enough unique locale entries accumulate

Each request with a novel en-x-XXXXXX private-use tag inserts a new DateTimeFormatter entry into the unbounded map. Each DateTimeFormatter (with locale metadata) occupies roughly 2-10 KB on the heap. At 100,000 unique entries, the map alone can consume ~500 MB; at 500,000 entries the JVM typically crashes with OutOfMemoryError: Java heap space.

Impact

  • An unauthenticated attacker can crash any Micronaut server that exposes at least one endpoint with a @Format-annotated temporal type parameter - a documented, first-class framework feature.
  • Memory grows linearly with the number of unique Accept-Language values sent. The BCP 47 private-use namespace (en-x-ANYTHING) provides millions of distinct valid locale strings.
  • No credentials, special permissions, or exploitation of application logic are required - only the ability to send HTTP requests with custom headers.
  • TimeConverterRegistrar is active in all Micronaut HTTP server applications by default; no special configuration is needed to be vulnerable.

Recommended Fix

Apply the same fix pattern used for GHSA-2hcp-gjrf-7fhc: replace the unbounded ConcurrentHashMap with a bounded ConcurrentLinkedHashMap:

java
// In TimeConverterRegistrar.java - replace line 123
import io.micronaut.core.util.clhm.ConcurrentLinkedHashMap;

private static final int MAX_FORMATTERS_CACHE_SIZE = 100;

private final Map<String, DateTimeFormatter> formattersCache =
    new ConcurrentLinkedHashMap.Builder<String, DateTimeFormatter>()
        .maximumWeightedCapacity(MAX_FORMATTERS_CACHE_SIZE)
        .build();

Alternatively, since @Format pattern values come from static annotations (a bounded, compile-time set), the locale should be excluded from the cache key and applied at use-time instead:

java
// In getFormatter() - cache only by pattern, apply locale at use-time
private DateTimeFormatter getFormatter(String pattern, ConversionContext context) {
    DateTimeFormatter base = formattersCache.computeIfAbsent(
        pattern, p -> DateTimeFormatter.ofPattern(p)
    );
    Locale locale = context.getLocale();
    return locale != null ? base.withLocale(locale) : base;
}

This second approach bounds the cache by the number of distinct @Format patterns in the application, which is always small and finite, fully eliminating the attack surface.

AnalysisAI

Unauthenticated remote denial-of-service in Micronaut Framework 4.3.0–4.10.21 allows heap exhaustion via crafted Accept-Language headers. The TimeConverterRegistrar component caches DateTimeFormatter instances in an unbounded ConcurrentHashMap keyed by @Format pattern plus locale. Attackers exploit BCP 47 private-use extensions (e.g., en-x-0001, en-x-0002) to generate millions of unique cache entries, consuming 500+ MB per 100,000 requests until JVM crashes with OutOfMemoryError. Publicly available exploit code exists (PoC provided in advisory). EPSS score not yet available for this 2026 CVE. Affects all Micronaut HTTP servers using documented @Format temporal parameter binding—a first-class framework feature requiring no special configuration. Vendor-released patch: 4.10.22 fixes both this and sibling vulnerability GHSA-3rfq-4wpf-qqw3 in ResourceBundleMessageSource. Structurally identical to previously patched GHSA-2hcp-gjrf-7fhc but in different component.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-44241 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy