CVE-2026-33871

About vulnerability

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server’s lack of a limit on the number of CONTINUATION frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Affected product:

Apache Kafka , Apache Spark , Eclipse Jetty , Netty , Spring , artemis , async-http-client , avro , azure-sdk-for-java , bolt-connection-java , cassandra-java-driver , couchbase-jvm-clients , cxf , elasticsearch , grpc-netty , infinispan , java-driver , lettuce , logging-flume , logging-log4j2 , neo4j-java-driver , netty , pulsar , rsocket-java , tika , wildfly , zookeeper

Affected packages:

netty (+5860 more)

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server’s lack of a limit on the number of CONTINUATION frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.