CVE-2026-44892
Received Received - Intake
Memory Exhaustion in Netty HTTP/3 via Unbounded Headers

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an `OutOfMemoryError`. Version 4.2.15.Final contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-44892
EUVD
EUVD-2026-36386
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
netty netty to 4.2.15.Final (exc)
netty netty-codec-http3 to 4.2.15.Final (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44892 is a vulnerability in Netty's HTTP/3 codec, specifically in the Http3ConnectionHandler. The default configuration does not enforce a maximum header size limit when the peer does not specify the HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE setting. This results in an unbounded header size limit, allowing a malicious client or server to send an extremely large number of headers.

Because of this, the system can experience memory exhaustion, leading to a Denial of Service (DoS) caused by an OutOfMemoryError. This issue arises because, unlike HTTP/1.1 and HTTP/2 where secure header size limits are enforced by default, HTTP/3 relies on RFC 9114 which defines an unlimited default, making the default Netty configuration insecure.

The vulnerability is addressed in Netty version 4.2.15.Final by enforcing a secure maximum header size limit.

Impact Analysis

This vulnerability can lead to a Denial of Service (DoS) attack against applications using Netty's HTTP/3 codec with default settings. An attacker can exploit the lack of a maximum header size limit to send an enormous number of headers, causing the application to consume excessive memory.

The resulting memory exhaustion triggers an OutOfMemoryError, which can crash the application or severely degrade its performance, making it unavailable to legitimate users.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Netty to version 4.2.15.Final or later, which contains a patch that enforces a secure maximum header size limit in the Http3ConnectionHandler.

This update prevents malicious clients or servers from sending excessively large HTTP/3 headers that could cause memory exhaustion and denial of service.

Compliance Impact

The vulnerability CVE-2026-44892 allows a malicious actor to cause a denial of service via memory exhaustion by sending excessively large HTTP/3 headers due to an insecure default configuration in Netty's HTTP/3 codec.

While the vulnerability leads to a high-severity denial of service condition, there is no direct information provided about its impact on compliance with common standards and regulations such as GDPR or HIPAA.

Denial of service attacks can indirectly affect compliance by causing service unavailability, which might impact regulatory requirements for availability and reliability, but no explicit linkage or assessment is given in the provided resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44892. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart