CVE-2026-44892

Description

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an `OutOfMemoryError`. Version 4.2.15.Final contains a patch.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected products

netty / netty>= 4.2.0.Final, < 4.2.15.Final – >= 4.2.0.Final, < 4.2.15.Final

References

VENDOR_ADVISORYhttps://github.com/netty/netty/security/advisories/GHSA-c2rx-5r8w-8xr2
PATCHhttps://github.com/netty/netty/releases/tag/netty-4.2.15.Final