HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44892Published Modified CNA GitHub_M

CVE-2026-44892: Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size

Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an `OutOfMemoryError`. Version 4.2.15.Final contains a patch.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in Netty's HTTP/3 codec caused by a missing maximum header size limit in the default configuration of Http3ConnectionHandler. The flaw is reachable over the network with no authentication required, making it trivially exploitable by any client that can send HTTP/3 traffic to an affected service. A malicious peer sends an oversized or excessive number of HTTP/3 headers, exhausting JVM heap memory and crashing the service with an OutOfMemoryError. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-44892 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Netty in the affected range (4.2.0.Final through 4.2.14.Final).

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and weighting it against each environment's compliance policy to surface it with the appropriate urgency. Triage routing is available to direct alerts to the relevant team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 4.2.15.Final or a later upstream fix is confirmed. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the affected service over the network by sending HTTP/3 traffic; no local access or special network position is required.

  • AuthenticationNot required

    No credentials or session token are needed; any unauthenticated peer that can open an HTTP/3 connection can trigger the vulnerability.

  • Victim interactionNot required

    The attack is entirely server-side and requires no action from a legitimate user or operator.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker simply sends oversized or excessive headers over a standard HTTP/3 connection without needing to satisfy any timing or environmental precondition.

Blast Radius

  • The targeted JVM process exhausts heap memory and terminates with an OutOfMemoryError, taking down any service hosted by that Netty instance.
  • All in-flight requests and active connections to the service are dropped at the moment of crash, interrupting service for legitimate clients.
  • Depending on restart policy and infrastructure configuration, the crash may cascade into repeated OOM loops if the malicious client reconnects before the heap limit is enforced.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet, the platform monitors the Netty advisory on every ingest cycle and will surface a patched-image rebuild automatically once version 4.2.15.Final is published. In the interim, compensating controls are worth considering: network policy rules that restrict which clients can open HTTP/3 connections to affected services, egress filtering to limit exposure of internal Netty services to untrusted peers, and where the application framework allows it, explicitly setting HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE in Http3ConnectionHandler configuration to enforce a bounded limit at the application level. Where compliance policy permits, customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without delay once the fix is available upstream.

See how HarborGuard automates this
Affected packages
  • netty / netty
    >= 4.2.0.Final, < 4.2.15.Final
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References