Denial of Service Vulnerability in Netty HTTP/2 Framework
CVE-2026-33871

8.7HIGH

Key Information:

Vendor: Netty
Status: Netty
Vendor: CVE Published:; 27 March 2026

What is CVE-2026-33871?

The Netty HTTP/2 Framework is susceptible to a denial of service attack due to the handling of CONTINUATION frames. In vulnerable versions prior to 4.1.132.Final and 4.2.10.Final, a remote attacker can exploit the absence of limits on CONTINUATION frames to trigger excessive CPU usage. This is accomplished by sending a flood of zero-byte CONTINUATION frames, which bypasses existing size-based protections, ultimately leading to server unresponsiveness with minimal network load. Users are urged to upgrade to fixed versions to mitigate this issue.

Affected Version(s)

netty < 4.1.132.Final < 4.1.132.Final

netty >= 4.2.0.Alpha1, < 4.2.10.Final < 4.2.0.Alpha1, 4.2.10.Final

References

https://github.com/netty/netty/security/advisories/GHSA-w...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2026
Vulnerability Reserved
Mar 24, 2026

CVE-2026-33871 Data

JSON