CVE Catalog

CVE-2026-50560

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile — higher than 22% of all known CVEs

Summary

Netty, a network application framework, prior to versions 4.1.135.Final and 4.2.15.Final had an issue with handling max HTTP/2 header size, allowing an attack similar to HTTP/2 Rapid Reset. This could result in exceptions when writing response headers during request processing.

Risk Assessment

Organizations using vulnerable versions of Netty may be exposed to attacks that could disrupt application functionality and potentially lead to data loss.

Recommendation

It is recommended to upgrade Netty to versions 4.1.135.Final or 4.2.15.Final to mitigate this vulnerability.

Original NVD description (English source)

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS