Resource exhaustion in Netty

CVE-2026-33871

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATIO…

EPSS: 0.000 (11.7th percentile) — read the EPSS interpretation.

Affected products

Netty — versions < 4.1.132.Final, >= 4.2.0.Alpha1, < 4.2.10.Final

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv (x_refsource_CONFIRM)