CVE-2026-33871
Denial of Service via CONTINUATION Frame Flood in Netty HTTP
Publication date: 2026-03-27
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netty | netty | to 4.1.132 (exc) |
| netty | netty | From 4.2.0 (inc) to 4.2.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33871 is a high-severity Denial of Service (DoS) vulnerability in Netty's HTTP/2 server implementation prior to versions 4.1.132.Final and 4.2.12.Final.
The vulnerability occurs because the server does not limit the number of HTTP/2 CONTINUATION frames it processes after receiving a HEADERS frame without the END_HEADERS flag.
Attackers can send a flood of zero-byte CONTINUATION frames, which bypass existing size-based protections, causing the server to consume excessive CPU resources and become unresponsive.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated remote attacker to cause a Denial of Service (DoS) by exhausting server CPU resources with minimal bandwidth.
As a result, the affected Netty HTTP/2 server can become unresponsive, denying service to legitimate users.
The attack is low complexity, requires no privileges or user interaction, and can be executed remotely over the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or excessive HTTP/2 CONTINUATION frames being sent to your Netty HTTP/2 server. Since the attack involves flooding the server with zero-byte CONTINUATION frames, network traffic analysis tools or packet capture utilities can be used to identify such patterns.
You can use network packet capture tools like tcpdump or Wireshark to filter and inspect HTTP/2 CONTINUATION frames. For example, using tcpdump, you might run a command to capture HTTP/2 traffic and then analyze the frames for an unusually high number of CONTINUATION frames with zero-byte payloads.
- tcpdump -i <interface> -w capture.pcap 'tcp port 443'
- Use Wireshark to open capture.pcap and filter for HTTP/2 CONTINUATION frames.
Additionally, monitoring server CPU usage for spikes without corresponding legitimate traffic increases can indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade your Netty HTTP/2 server to a patched version that addresses this vulnerability. Specifically, upgrade to version 4.1.132.Final or later, or 4.2.12.Final or later.
Until you can upgrade, consider implementing network-level protections such as rate limiting or filtering to block excessive CONTINUATION frames or unusual HTTP/2 traffic patterns that could indicate an attack.
Monitoring and alerting on abnormal CPU usage and unusual HTTP/2 frame patterns can also help detect and respond to exploitation attempts promptly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a Denial of Service (DoS) by exhausting server CPU resources, leading to unavailability of the affected Netty HTTP/2 server.
While the vulnerability does not impact confidentiality or integrity of data, the resulting service unavailability could affect compliance with standards and regulations that require maintaining availability and reliable access to services, such as HIPAA's availability requirements or GDPR's requirements for ensuring service continuity.
However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.