Executive Summary

The CVE-2026-47244 vulnerability affects Netty's HTTP/2 implementation in versions prior to 4.1.135.Final and 4.2.15.Final. The issue is that the DefaultHttp2Connection.DefaultEndpoint class initializes the maximum number of active streams to Integer.MAX_VALUE, and the Http2Settings class does not set a default limit for maximum concurrent streams unless the application explicitly configures it. As a result, a Netty HTTP/2 server may advertise no limit on concurrent streams and enforce no limit locally.

This allows an attacker to create an excessive number of long-lived streams on a single TCP connection. Each stream consumes resources such as DefaultStream objects, PropertyMap slots, flow-controller state, and IntObjectHashMap entries. Because there can be up to about 2^30 permissible odd stream IDs, a single connection can create hundreds of thousands of these streams, potentially exhausting server resources.

This vulnerability also sets the stage for Rapid-Reset amplification attacks similar to CVE-2023-44487, where the lack of a low concurrent stream cap multiplies backend workload.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability primarily impacts the availability of the Netty HTTP/2 server by allowing resource exhaustion through an unlimited number of concurrent streams. There is no direct information indicating an impact on confidentiality or integrity of data.

Since the vulnerability affects availability, it could indirectly affect compliance with standards like GDPR or HIPAA if the affected systems are required to maintain service availability as part of their regulatory obligations. However, no explicit connection to compliance violations or data breaches is provided.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to exhaust server resources through the creation of a very large number of concurrent HTTP/2 streams on a single TCP connection. Each stream consumes memory and processing resources, and without limits, this can lead to resource exhaustion.

The primary impact is on availability, as the server may become overwhelmed and unable to handle legitimate requests, potentially leading to denial of service conditions.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your Netty HTTP/2 server is running a vulnerable version between 4.2.0.Final and 4.2.14.Final, or 4.1.134.Final.

You can check the Netty version used by your application by inspecting the application dependencies or runtime environment.

Additionally, monitoring network traffic for unusually high numbers of concurrent HTTP/2 streams on a single TCP connection may indicate exploitation attempts.

There are no specific commands provided in the resources, but general commands to check the Netty version or running Java packages include:

• For Java applications, use: `mvn dependency:tree | grep netty` or check your build files (pom.xml, build.gradle) for Netty versions.
• Use network monitoring tools like `tcpdump` or `Wireshark` to capture HTTP/2 traffic and analyze the number of concurrent streams.
• Use Java runtime inspection commands such as `jcmd <pid> VM.version` or `jps -l` to identify running Java processes and their versions.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade your Netty HTTP/2 server to a patched version.

• Upgrade to Netty version 4.2.15.Final or later, or 4.1.135.Final or later, where the issue is fixed.

If upgrading immediately is not possible, configure your application to explicitly set a limit on maxConcurrentStreams by calling `initialSettings().maxConcurrentStreams(n)` with a reasonable value to prevent unlimited concurrent streams.

Monitor your HTTP/2 server for abnormal numbers of concurrent streams and resource usage to detect potential exploitation.

Useful 0 Not Useful 0