CVE-2026-50560
Undergoing Analysis Undergoing Analysis - In Progress
HTTP/2 Rapid Reset in Netty Framework

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-50560
EUVD
EUVD-2026-36471
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
netty netty From 4.2.0.Final (inc) to 4.2.15.Final (exc)
netty netty From 4.1.134.Final (inc) to 4.1.135.Final (exc)
netty netty 4.1.135.Final
netty netty 4.2.15.Final
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects Netty versions prior to 4.1.135.Final and 4.2.15.Final and involves improper handling of the HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE setting.

When a client sends this setting, Netty reads the request, proxies it to the origin server, attempts to produce a response, but then throws an exception while writing the response headers. This causes the connection to reset unexpectedly.

This behavior mimics an HTTP/2 Rapid Reset attack, which can disrupt normal communication, but with a different network signature. The root cause is that Netty does not properly ignore or handle this advisory setting from clients, even though the HTTP/2 specification states servers are not required to honor it.

The issue is fixed in Netty versions 4.1.135.Final and 4.2.15.Final by treating SETTINGS_MAX_HEADER_LIST_SIZE as advisory and ignoring it.

Impact Analysis

This vulnerability can be exploited to cause unexpected connection resets in Netty-based HTTP/2 servers, effectively disrupting service availability.

Because the server throws exceptions and resets connections when handling certain client settings, an attacker could use this behavior to perform a denial-of-service (DoS) attack, impacting the reliability and stability of applications using vulnerable Netty versions.

Detection Guidance

This vulnerability can be detected by monitoring HTTP/2 traffic for unusual connection resets triggered by the SETTINGS_MAX_HEADER_LIST_SIZE setting. Specifically, if a client sends this setting and the server behaves by reading the request, proxying it, attempting to respond, and then throwing an exception while writing headers, it indicates the presence of the vulnerability.

To detect this on your system, you can capture and analyze HTTP/2 traffic using network monitoring tools such as Wireshark or tcpdump, looking for reset frames or exceptions related to header size settings.

Example commands to capture HTTP/2 traffic on a network interface (e.g., eth0) include:

  • tcpdump -i eth0 -w capture.pcap 'tcp port 443'
  • tshark -r capture.pcap -Y 'http2.settings.parameter == 0x6' -V

Here, 'http2.settings.parameter == 0x6' filters for SETTINGS_MAX_HEADER_LIST_SIZE frames in Wireshark/tshark. Observing connection resets or exceptions following these frames may indicate exploitation attempts or the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade Netty to a patched version where this vulnerability is fixed. Specifically, upgrade to Netty versions 4.1.135.Final or 4.2.15.Final or later.

The root cause is that Netty improperly handles the SETTINGS_MAX_HEADER_LIST_SIZE setting from clients. The fix involves treating this setting as advisory and ignoring it, as per the HTTP/2 specification, since servers are not required to honor it.

Until you can upgrade, consider monitoring and filtering HTTP/2 traffic that includes the SETTINGS_MAX_HEADER_LIST_SIZE setting to detect and block suspicious requests that may trigger the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50560. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart