CVE-2026-33871

EUVD-2026-16790
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Affected Products (NVD)
VendorProductVersion
nettynetty
𝑥
< 4.1.132
nettynetty
4.2.0 ≤
𝑥
< 4.2.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
netty
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
trixie (security)
vulnerable
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
netty-tcnative
suse enterprise desktop 15 SP7
2.0.75-150200.3.36.1
fixed
suse enterprise sap 15 SP7
2.0.75-150200.3.36.1
fixed
suse enterprise server 15 SP7
2.0.75-150200.3.36.1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv