Skip to main content

Netty HTTP/2 CVE-2026-47244

| EUVDEUVD-2026-36455 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-08 https://github.com/netty/netty GHSA-5x3r-wrvg-rp6q
5.3
CVSS 3.1 · Vendor: https://github.com/netty/netty
Share

Severity by source

Vendor (https://github.com/netty/netty) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/netty/netty).

CVSS VectorVendor: https://github.com/netty/netty

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 08, 2026 - 23:38 vuln.today
Analysis Generated
Jun 08, 2026 - 23:38 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 283 maven packages depend on io.netty:netty-codec-http2 (20 direct, 263 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final.

DescriptionCVE.org

Impact

DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work.

Resources

https://www.rfc-editor.org/rfc/rfc7540.html#section-6.5.2

AnalysisAI

Unbounded HTTP/2 stream creation in Netty's netty-codec-http2 library exposes any Netty HTTP/2 server running on default configuration to memory exhaustion from a single TCP connection. Because DefaultHttp2Connection.DefaultEndpoint initializes stream limits to Integer.MAX_VALUE and Http2Settings never advertises SETTINGS_MAX_CONCURRENT_STREAMS unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a remote unauthenticated attacker can sustain hundreds of thousands of simultaneous streams, each forcing JVM heap allocations for DefaultStream objects, PropertyMap slots, flow-controller state, and IntObjectHashMap entries. This misconfiguration is also the structural precondition for CVE-2023-44487-style HTTP/2 Rapid Reset amplification. No public exploit has been identified at time of analysis; vendor-released patches are available in 4.1.135.Final and 4.2.15.Final.

Technical ContextAI

HTTP/2 (RFC 7540 §6.5.2) defines the SETTINGS_MAX_CONCURRENT_STREAMS parameter to allow servers to advertise and enforce a cap on the number of simultaneously open streams per connection. Netty's implementation in DefaultHttp2Connection.DefaultEndpoint (io.netty:netty-codec-http2, Maven) initializes both maxActiveStreams and maxStreams to Integer.MAX_VALUE. Http2Settings.java lines 305-307 perform bounds clamping only when a caller supplies a value - they never inject a default SETTINGS_MAX_CONCURRENT_STREAMS into the SETTINGS frame sent during connection preface. The result is that a Netty HTTP/2 server silently accepts up to ~2^30 client-initiated (odd-numbered) stream IDs per connection. Every stream persists a DefaultStream object, associated PropertyMap slots, per-stream flow-controller state, and an IntObjectHashMap entry in the JVM heap for its lifetime. CWE-400 (Uncontrolled Resource Consumption) is the root cause class: resource allocation is unbounded because the gating check (a finite concurrent-stream limit) is absent by default, not because any single allocation is oversized. The CPE-identified artifact is pkg:maven/io.netty:netty-codec-http2, spanning both the 4.1.x and 4.2.x release trains.

RemediationAI

The primary fix is to upgrade io.netty:netty-codec-http2 to 4.1.135.Final (for 4.1.x users) or 4.2.15.Final (for 4.2.x users); both releases are confirmed by the Netty project at https://github.com/netty/netty/releases/tag/netty-4.1.135.Final and https://github.com/netty/netty/releases/tag/netty-4.2.15.Final respectively. As a compensating control for deployments that cannot immediately upgrade, application code should explicitly call initialSettings().maxConcurrentStreams(n) with a finite bound - the HTTP/2 specification and common practice suggest values in the range of 100 to 1000 depending on workload; this directly inserts SETTINGS_MAX_CONCURRENT_STREAMS into the server's SETTINGS frame and activates enforcement in DefaultHttp2Connection.DefaultEndpoint. Trade-off: setting this value too low may reject legitimate high-concurrency clients (e.g., browsers that pipeline aggressively), so the value should be tuned to observed peak legitimate traffic. A second-layer mitigation is to impose per-IP or per-connection stream-rate limits at a reverse proxy or load balancer (e.g., nginx http2_max_concurrent_streams, HAProxy h2-max-concurrent-streams), which limits amplification without modifying the Netty application itself. See the full advisory at https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q for vendor guidance.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-47244 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy