Heap Memory Exhaustion in Micronaut Framework by Unauthenticated Attacker
CVE-2026-44242

3.7LOW

Key Information:

Vendor: Micronaut-projects
Status: Micronaut-core
Vendor: CVE Published:; 12 May 2026

🔔 Create Micronaut-projects Vulnerability Alert

What is CVE-2026-44242?

The Micronaut Framework, a full stack Java framework, is susceptible to a heap memory exhaustion vulnerability caused by an improperly managed bundleCache. In versions prior to 4.10.22, the cache is indexed by (Locale, baseName) based on the HTTP Accept-Language header. If an application explicitly registers a ResourceBundleMessageSource bean to manage error responses, an unauthenticated attacker can exploit this flaw by sending an excessive amount of unique Accept-Language values. This leads to the creation of numerous cache entries without bounds, eventually consuming all available heap memory and causing service disruptions.

Affected Version(s)

micronaut-core < 4.10.22

References

https://github.com/micronaut-projects/micronaut-core/secu...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44242 Data

JSON