Memory Exhaustion Vulnerability in Netty HTTP/3 Codec by Netty
CVE-2026-44892
7.5HIGH
What is CVE-2026-44892?
The Netty HTTP/3 codec previously had a default configuration in its Http3ConnectionHandler that did not enforce a maximum header size limit. This oversight meant that if a peer client or server failed to set the HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE, the framework permitted an unlimited number of headers to be sent. As a result, an attacker could exploit this flaw to create conditions leading to memory exhaustion and a Denial of Service (DoS) via an OutOfMemoryError. An update in version 4.2.15.Final introduces a critical patch to address this issue.
Affected Version(s)
netty >= 4.2.0.Final, < 4.2.15.Final
