Skip to main content

Netty HTTP/2 CVE-2026-50560

| EUVD-2026-36471 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-12 GitHub_M GHSA-563q-j3cm-6jxm
Denial Of Service Netty Red Hat Suse
6.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-accessible, no auth, no interaction; availability rated High given functional equivalence to HTTP/2 Rapid Reset, overriding the official VA:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.3 MEDIUM
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 12, 2026 - 17:01 EUVD
Source Code Evidence Fetched
Jun 12, 2026 - 16:34 vuln.today
Analysis Generated
Jun 12, 2026 - 16:34 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 283 maven packages depend on io.netty:netty-codec-http2 (20 direct, 263 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final.

DescriptionCVE.org

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called SETTINGS_MAX_HEADER_LIST_SIZE. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

AnalysisAI

Netty's HTTP/2 codec mishandles the SETTINGS_MAX_HEADER_LIST_SIZE client setting, enabling a denial-of-service attack functionally equivalent to HTTP/2 Rapid Reset (CVE-2023-44487) but with a distinct on-wire signature. Affected Netty versions prior to 4.1.135.Final and 4.2.15.Final fully process and proxy incoming requests to the origin before encountering an exception during response header serialization, consuming server resources without completing responses. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Netty HTTP/2 service endpoint
Delivery
Establish HTTP/2 connection advertising minimal SETTINGS_MAX_HEADER_LIST_SIZE
Exploit
Send high-volume request streams triggering full request processing
Execution
Force exception on response header write per stream
Persist
Exhaust Netty I/O thread pool
Impact
Service unavailable to legitimate clients
Sign in to reveal

Vulnerability AssessmentAI

Exploitation HTTP/2 must be enabled and actively served by the target Netty deployment; services using only HTTP/1.1 are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 4.0 score of 6.9 uses VA:L (low availability impact to the vulnerable system), which appears to underweight the potential DoS severity given the explicit analogy to HTTP/2 Rapid Reset - a technique used in record-breaking DDoS campaigns exceeding 398 million requests per second. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a stream of HTTP/2 connections to a Netty-based service, each advertising a very small SETTINGS_MAX_HEADER_LIST_SIZE. For each stream, Netty reads the request body, proxies it to the origin backend, and then fails with an exception when it cannot serialize the response headers within the declared limit. …
Remediation Upgrade to Netty 4.1.135.Final (https://github.com/netty/netty/releases/tag/netty-4.1.135.Final) or 4.2.15.Final (https://github.com/netty/netty/releases/tag/netty-4.2.15.Final) as the primary fix; these are vendor-confirmed patched releases. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48748 HIGH POC
7.5 Jun 12

Denial of service in the Netty HTTP/3 codec (io.netty:netty-codec-http3) prior to version 4.2.15.Final allows remote una
CVE-2026-50010 HIGH
7.5 Jun 12

TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuild
CVE-2026-50011 HIGH POC
7.5 Jun 12

Denial of service in Netty's io.netty:netty-codec-redis component (prior to 4.1.135.Final and 4.2.15.Final) allows remot
CVE-2026-50020 MEDIUM POC
5.3 Jun 12

HTTP request smuggling in Netty's HttpObjectDecoder (netty-codec-http) allows unauthenticated remote attackers to manipu
CVE-2026-50009 MEDIUM
4.8 Jun 12

Stateless reset token leakage in Netty's QUIC codec (io.netty:netty-codec-classes-quic prior to 4.2.15.Final) enables an

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-50560 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy