Denial of Service Vulnerability in Netty Framework STOMP Protocol
CVE-2026-44891

7.5HIGH

Key Information:

Vendor

Netty

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-44891?

The vulnerability in the Netty framework's STOMP protocol handling can lead to a denial of service condition. Specifically, prior to version 4.1.136.Final and 4.2.16.Final, the StompSubframeDecoder did not impose limits on the number or cumulative size of headers per STOMP frame. An attacker exploiting this flaw could generate numerous short headers that accumulate in memory, eventually leading to an OutOfMemoryError within the Java Virtual Machine (JVM). This flaw affects servers that expose a STOMP endpoint, necessitating immediate updates to versions that address this issue.

Affected Version(s)

netty < 4.1.136.Final < 4.1.136.Final

netty >= 4.2.0.Final, < 4.2.16.Final < 4.2.0.Final, 4.2.16.Final

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.