CVE-2026-33871
Received Received - Intake
Denial of Service via CONTINUATION Frame Flood in Netty HTTP

Publication date: 2026-03-27

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33871
EUVD
EUVD-2026-16790
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
netty netty to 4.1.132 (exc)
netty netty From 4.2.0 (inc) to 4.2.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33871 is a high-severity Denial of Service (DoS) vulnerability in Netty's HTTP/2 server implementation prior to versions 4.1.132.Final and 4.2.12.Final.

The vulnerability occurs because the server does not limit the number of HTTP/2 CONTINUATION frames it processes after receiving a HEADERS frame without the END_HEADERS flag.

Attackers can send a flood of zero-byte CONTINUATION frames, which bypass existing size-based protections, causing the server to consume excessive CPU resources and become unresponsive.

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to cause a Denial of Service (DoS) by exhausting server CPU resources with minimal bandwidth.

As a result, the affected Netty HTTP/2 server can become unresponsive, denying service to legitimate users.

The attack is low complexity, requires no privileges or user interaction, and can be executed remotely over the network.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or excessive HTTP/2 CONTINUATION frames being sent to your Netty HTTP/2 server. Since the attack involves flooding the server with zero-byte CONTINUATION frames, network traffic analysis tools or packet capture utilities can be used to identify such patterns.

You can use network packet capture tools like tcpdump or Wireshark to filter and inspect HTTP/2 CONTINUATION frames. For example, using tcpdump, you might run a command to capture HTTP/2 traffic and then analyze the frames for an unusually high number of CONTINUATION frames with zero-byte payloads.

  • tcpdump -i <interface> -w capture.pcap 'tcp port 443'
  • Use Wireshark to open capture.pcap and filter for HTTP/2 CONTINUATION frames.

Additionally, monitoring server CPU usage for spikes without corresponding legitimate traffic increases can indicate exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade your Netty HTTP/2 server to a patched version that addresses this vulnerability. Specifically, upgrade to version 4.1.132.Final or later, or 4.2.12.Final or later.

Until you can upgrade, consider implementing network-level protections such as rate limiting or filtering to block excessive CONTINUATION frames or unusual HTTP/2 traffic patterns that could indicate an attack.

Monitoring and alerting on abnormal CPU usage and unusual HTTP/2 frame patterns can also help detect and respond to exploitation attempts promptly.

Compliance Impact

This vulnerability causes a Denial of Service (DoS) by exhausting server CPU resources, leading to unavailability of the affected Netty HTTP/2 server.

While the vulnerability does not impact confidentiality or integrity of data, the resulting service unavailability could affect compliance with standards and regulations that require maintaining availability and reliable access to services, such as HIPAA's availability requirements or GDPR's requirements for ensuring service continuity.

However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33871. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart