CVE-2026-50560

About vulnerability

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called SETTINGS_MAX_HEADER_LIST_SIZE. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Affected product:

Apache CXF , Apache Kafka , Apache Log4j , Apache Spark , Eclipse Jetty , Netty , React , Spring , Wildfly , artemis , async-http-client , avro , azure-sdk-for-java , bolt-connection-java , camel , cassandra-java-driver , couchbase-jvm-clients , elasticsearch , grpc-java , infinispan , java-driver , lettuce , logging-flume , neo4j-java-driver , netty , pulsar , rsocket-java , tika , vert.x , wildfly , zookeeper

Affected packages:

netty-codec-http2 @ 4.1.27.Final (+6766 more)

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called SETTINGS_MAX_HEADER_LIST_SIZE. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.