CVE-2021-3597
Description
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Undertow's HTTP2SourceChannel fails to write the final frame under some circumstances, causing denial of service.
Vulnerability
The vulnerability resides in Undertow's HTTP2SourceChannel which fails to write the final frame under certain conditions, resulting in a denial of service. Affected versions include all prior to 2.0.35.SP1, 2.2.6.SP1, 2.2.7.SP1, 2.0.36.SP1, 2.2.9.Final, and 2.0.39.Final. [1][2]
Exploitation
An attacker can trigger this vulnerability remotely without authentication by sending specially crafted HTTP/2 requests that cause the HTTP2SourceChannel to fail writing the final frame. The exact circumstances are not fully detailed but may involve specific request patterns or timing. [1]
Impact
Successful exploitation leads to denial of service, affecting system availability. No impact on confidentiality or integrity has been reported. [1][2]
Mitigation
The issue is fixed in Undertow versions 2.0.35.SP1, 2.2.6.SP1, 2.2.7.SP1, 2.0.36.SP1, 2.2.9.Final, and 2.0.39.Final. Red Hat has also addressed this in JBoss EAP 7.3.9 via RHSA-2021:3471 and related advisories. Users should upgrade to these patched versions. [2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.undertow:undertow-coreMaven | >= 2.1.0, < 2.2.9.Final | 2.2.9.Final |
io.undertow:undertow-coreMaven | < 2.0.39.Final | 2.0.39.Final |
Affected products
2- undertow/undertowdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-mfhv-gwf8-4m88ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3597ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20220804-0003ghsaWEB
- security.netapp.com/advisory/ntap-20220804-0003/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.