High severityNVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026
Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass
CVE-2026-33871
Description
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on the number of CONTINUATION frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.netty:netty-codec-http2Maven | < 4.1.132.Final | 4.1.132.Final |
io.netty:netty-codec-http2Maven | >= 4.2.0.Alpha1, < 4.2.11.Final | 4.2.11.Final |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-w9fj-cfpg-grvvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33871ghsaADVISORY
- github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.