Denial of Service Vulnerability in Netty Framework STOMP Protocol
CVE-2026-44891
7.5HIGH
What is CVE-2026-44891?
The vulnerability in the Netty framework's STOMP protocol handling can lead to a denial of service condition. Specifically, prior to version 4.1.136.Final and 4.2.16.Final, the StompSubframeDecoder did not impose limits on the number or cumulative size of headers per STOMP frame. An attacker exploiting this flaw could generate numerous short headers that accumulate in memory, eventually leading to an OutOfMemoryError within the Java Virtual Machine (JVM). This flaw affects servers that expose a STOMP endpoint, necessitating immediate updates to versions that address this issue.
Affected Version(s)
netty < 4.1.136.Final < 4.1.136.Final
netty >= 4.2.0.Final, < 4.2.16.Final < 4.2.0.Final, 4.2.16.Final
