CVE-2026-33871

216.73.216.226

· Published 27/03/2026 20:16 · Modified 27/03/2026 20:16

Labels: CVE-2026-33871 2026-03-27 CVE-2026-33871 CWE-770 [email protected]

Essential information

Published: 27/03/2026 20:16
Modified: 27/03/2026 20:16
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
netty / netty	`cpe:2.3:a:netty:netty:<4.1.132.Final:::::::*`
netty / netty	`cpe:2.3:a:netty:netty:<4.2.10.Final:::::::*`