High severityNVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026
Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass
CVE-2026-33871
Description
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on the number of CONTINUATION frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.netty:netty-codec-http2Maven | < 4.1.132.Final | 4.1.132.Final |
io.netty:netty-codec-http2Maven | >= 4.2.0.Alpha1, < 4.2.11.Final | 4.2.11.Final |
Affected products
208- osv-coords207 versionspkg:apk/chainguard/akhqpkg:apk/chainguard/apache-camel-karavan-devmodepkg:apk/chainguard/apache-hoppkg:apk/chainguard/apache-hop-fipspkg:apk/chainguard/apache-pulsar-4.0pkg:apk/chainguard/apache-pulsar-4.2pkg:apk/chainguard/apache-pulsar-fips-4.0pkg:apk/chainguard/apache-pulsar-fips-4.2pkg:apk/chainguard/apicurio-registrypkg:apk/chainguard/camunda-8.8pkg:apk/chainguard/camunda-zeebe-8.6pkg:apk/chainguard/camunda-zeebe-8.7pkg:apk/chainguard/camunda-zeebe-8.8pkg:apk/chainguard/commercial-elasticsearch-8.19pkg:apk/chainguard/commercial-elasticsearch-9.3pkg:apk/chainguard/druidpkg:apk/chainguard/elasticsearch-8.17pkg:apk/chainguard/elasticsearch-8.19pkg:apk/chainguard/elasticsearch-8.19-iamguardedpkg:apk/chainguard/elasticsearch-9.0pkg:apk/chainguard/elasticsearch-9.0-iamguardedpkg:apk/chainguard/elasticsearch-9.1pkg:apk/chainguard/elasticsearch-9.1-iamguardedpkg:apk/chainguard/elasticsearch-9.2pkg:apk/chainguard/elasticsearch-9.2-iamguardedpkg:apk/chainguard/elasticsearch-9.3pkg:apk/chainguard/elasticsearch-9.3-iamguardedpkg:apk/chainguard/elasticsearch-fips-8.17pkg:apk/chainguard/elasticsearch-fips-8.17-bitnamipkg:apk/chainguard/elasticsearch-fips-8.19pkg:apk/chainguard/elasticsearch-fips-9.0pkg:apk/chainguard/elasticsearch-fips-9.0-bitnamipkg:apk/chainguard/elasticsearch-fips-9.1pkg:apk/chainguard/elasticsearch-fips-9.2pkg:apk/chainguard/elasticsearch-fips-9.3pkg:apk/chainguard/flywaypkg:apk/chainguard/flyway-fipspkg:apk/chainguard/hono-adapter-mqttpkg:apk/chainguard/hono-clipkg:apk/chainguard/hono-service-authpkg:apk/chainguard/hono-service-command-routerpkg:apk/chainguard/hono-service-device-registry-jdbcpkg:apk/chainguard/infinispan-15.0pkg:apk/chainguard/infinispan-15.1pkg:apk/chainguard/infinispan-15.2pkg:apk/chainguard/infinispan-16.0pkg:apk/chainguard/infinispan-16.1pkg:apk/chainguard/kafbat-uipkg:apk/chainguard/kafbat-ui-fipspkg:apk/chainguard/kafka-bridgepkg:apk/chainguard/kafka-bridge-fipspkg:apk/chainguard/kayenta-2025.0pkg:apk/chainguard/kayenta-2025.1pkg:apk/chainguard/kayenta-2025.2pkg:apk/chainguard/kayenta-2025.4pkg:apk/chainguard/kayenta-2026.0pkg:apk/chainguard/kayenta-fips-2025.0pkg:apk/chainguard/kayenta-fips-2025.1pkg:apk/chainguard/kayenta-fips-2025.2pkg:apk/chainguard/kayenta-fips-2025.4pkg:apk/chainguard/kayenta-fips-2026.0pkg:apk/chainguard/keycloak-26.5pkg:apk/chainguard/keycloak-26.5-iamguarded-compatpkg:apk/chainguard/keycloak-26.5-operatorpkg:apk/chainguard/keycloak-fips-26.5pkg:apk/chainguard/keycloak-fips-26.5-iamguarded-fipspkg:apk/chainguard/keycloak-fips-26.5-operatorpkg:apk/chainguard/knative-kafka-broker-1.17-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-1.17-receiver-loompkg:apk/chainguard/knative-kafka-broker-1.18-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-1.18-receiver-loompkg:apk/chainguard/knative-kafka-broker-1.19-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-1.19-receiver-loompkg:apk/chainguard/knative-kafka-broker-1.20-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-1.20-receiver-loompkg:apk/chainguard/knative-kafka-broker-1.21-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-1.21-receiver-loompkg:apk/chainguard/knative-kafka-broker-1.22-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-1.22-receiver-loompkg:apk/chainguard/knative-kafka-broker-fips-1.17-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-fips-1.17-receiver-loompkg:apk/chainguard/knative-kafka-broker-fips-1.18-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-fips-1.18-receiver-loompkg:apk/chainguard/knative-kafka-broker-fips-1.19-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-fips-1.19-receiver-loompkg:apk/chainguard/knative-kafka-broker-fips-1.20-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-fips-1.20-receiver-loompkg:apk/chainguard/knative-kafka-broker-fips-1.21-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-fips-1.21-receiver-loompkg:apk/chainguard/knative-kafka-broker-fips-1.22-dispatcher-loompkg:apk/chainguard/knative-kafka-broker-fips-1.22-receiver-loompkg:apk/chainguard/kserve-modelmeshpkg:apk/chainguard/localstackpkg:apk/chainguard/management-api-for-apache-cassandra-4.0pkg:apk/chainguard/management-api-for-apache-cassandra-4.1pkg:apk/chainguard/management-api-for-apache-cassandra-5.0pkg:apk/chainguard/opensearch-2-ml-commonspkg:apk/chainguard/opensearch-2-performance-analyzerpkg:apk/chainguard/opensearch-2-repository-azurepkg:apk/chainguard/opensearch-2-repository-s3pkg:apk/chainguard/opensearch-3pkg:apk/chainguard/opensearch-3-ml-commonspkg:apk/chainguard/opensearch-3-notificationspkg:apk/chainguard/opensearch-3-performance-analyzerpkg:apk/chainguard/opensearch-3-repository-azurepkg:apk/chainguard/opensearch-3-repository-s3pkg:apk/chainguard/opensearch-3-securitypkg:apk/chainguard/opensearch-3-security-analyticspkg:apk/chainguard/opensearch-fips-3pkg:apk/chainguard/opensearch-fips-3-ml-commonspkg:apk/chainguard/opensearch-fips-3-notificationspkg:apk/chainguard/opensearch-fips-3-performance-analyzerpkg:apk/chainguard/opensearch-fips-3-repository-azurepkg:apk/chainguard/opensearch-fips-3-repository-s3pkg:apk/chainguard/opensearch-fips-3-securitypkg:apk/chainguard/opensearch-fips-3-security-analyticspkg:apk/chainguard/pinotpkg:apk/chainguard/pinot-fipspkg:apk/chainguard/reposilitepkg:apk/chainguard/seata-serverpkg:apk/chainguard/spark-3.5-scala-2.12pkg:apk/chainguard/spark-3.5-scala-2.13pkg:apk/chainguard/spark-4.0-scala-2.13pkg:apk/chainguard/spark-4.1-scala-2.13pkg:apk/chainguard/spark-fips-3.5-scala-2.12pkg:apk/chainguard/spark-fips-3.5-scala-2.13pkg:apk/chainguard/spark-fips-4.1-scala-2.13pkg:apk/chainguard/strimzi-kafka-operator-kafka-thirdparty-libs-ccpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/trino-plugin-delta-lakepkg:apk/chainguard/trino-plugin-elasticsearchpkg:apk/chainguard/trino-plugin-exchange-filesystempkg:apk/chainguard/trino-plugin-exchange-hdfspkg:apk/chainguard/trino-plugin-hivepkg:apk/chainguard/trino-plugin-hudipkg:apk/chainguard/trino-plugin-icebergpkg:apk/chainguard/trino-plugin-lakehousepkg:apk/chainguard/trino-plugin-opensearchpkg:apk/chainguard/trino-plugin-pinotpkg:apk/chainguard/trino-plugin-redshiftpkg:apk/chainguard/trino-plugin-spooling-filesystempkg:apk/chainguard/wavefront-proxypkg:apk/chainguard/wazuh-indexerpkg:apk/chainguard/wazuh-indexer-plugin-ml-commonspkg:apk/chainguard/wazuh-indexer-plugin-notificationspkg:apk/chainguard/wazuh-indexer-plugin-securitypkg:apk/chainguard/wildfly-openjdk-17pkg:apk/chainguard/wildfly-openjdk-21pkg:apk/chainguard/zipkinpkg:apk/chainguard/zipkin-slimpkg:apk/wolfi/akhqpkg:apk/wolfi/apache-pulsar-4.2pkg:apk/wolfi/apicurio-registrypkg:apk/wolfi/druidpkg:apk/wolfi/flywaypkg:apk/wolfi/infinispan-15.2pkg:apk/wolfi/infinispan-16.0pkg:apk/wolfi/infinispan-16.1pkg:apk/wolfi/keycloak-26.5pkg:apk/wolfi/keycloak-26.5-iamguarded-compatpkg:apk/wolfi/keycloak-26.5-operatorpkg:apk/wolfi/kserve-modelmeshpkg:apk/wolfi/management-api-for-apache-cassandra-4.1pkg:apk/wolfi/management-api-for-apache-cassandra-5.0pkg:apk/wolfi/opensearch-2-ml-commonspkg:apk/wolfi/opensearch-2-performance-analyzerpkg:apk/wolfi/opensearch-2-repository-azurepkg:apk/wolfi/opensearch-2-repository-s3pkg:apk/wolfi/opensearch-3pkg:apk/wolfi/opensearch-3-ml-commonspkg:apk/wolfi/opensearch-3-notificationspkg:apk/wolfi/opensearch-3-performance-analyzerpkg:apk/wolfi/opensearch-3-repository-azurepkg:apk/wolfi/opensearch-3-repository-s3pkg:apk/wolfi/opensearch-3-securitypkg:apk/wolfi/opensearch-3-security-analyticspkg:apk/wolfi/spark-3.5-scala-2.12pkg:apk/wolfi/spark-3.5-scala-2.13pkg:apk/wolfi/spark-4.0-scala-2.13pkg:apk/wolfi/spark-4.1-scala-2.13pkg:apk/wolfi/strimzi-kafka-operator-kafka-thirdparty-libs-ccpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/trino-plugin-delta-lakepkg:apk/wolfi/trino-plugin-elasticsearchpkg:apk/wolfi/trino-plugin-exchange-filesystempkg:apk/wolfi/trino-plugin-exchange-hdfspkg:apk/wolfi/trino-plugin-hivepkg:apk/wolfi/trino-plugin-hudipkg:apk/wolfi/trino-plugin-icebergpkg:apk/wolfi/trino-plugin-lakehousepkg:apk/wolfi/trino-plugin-opensearchpkg:apk/wolfi/trino-plugin-pinotpkg:apk/wolfi/trino-plugin-redshiftpkg:apk/wolfi/trino-plugin-spooling-filesystempkg:apk/wolfi/wavefront-proxypkg:apk/wolfi/wildfly-openjdk-17pkg:apk/wolfi/wildfly-openjdk-21pkg:apk/wolfi/zipkinpkg:apk/wolfi/zipkin-slimpkg:maven/io.netty/netty-codec-http2pkg:rpm/opensuse/netty&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/netty&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/netty-tcnative&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/netty&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7
< 0.27.0-r0+ 206 more
- (no CPE)range: < 0.27.0-r0
- (no CPE)range: < 4.14.2-r7
- (no CPE)range: < 2.17.0-r6
- (no CPE)range: < 2.17.0-r6
- (no CPE)range: < 4.0.9-r10
- (no CPE)range: < 4.2.1-r0
- (no CPE)range: < 4.0.9-r10
- (no CPE)range: < 4.2.1-r0
- (no CPE)range: < 3.2.0-r3
- (no CPE)range: < 8.8.22-r0
- (no CPE)range: < 8.6.39-r0
- (no CPE)range: < 8.7.27-r0
- (no CPE)range: < 8.8.22-r0
- (no CPE)range: < 8.19.15-r0
- (no CPE)range: < 9.3.4-r0
- (no CPE)range: < 36.0.0-r12
- (no CPE)range: < 8.17.10-r20
- (no CPE)range: < 8.19.14-r1
- (no CPE)range: < 8.19.14-r1
- (no CPE)range: < 9.0.8-r9
- (no CPE)range: < 9.0.8-r9
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.2.8-r1
- (no CPE)range: < 9.2.8-r1
- (no CPE)range: < 9.3.3-r1
- (no CPE)range: < 9.3.3-r1
- (no CPE)range: < 8.17.10-r14
- (no CPE)range: < 8.17.10-r14
- (no CPE)range: < 8.19.13-r2
- (no CPE)range: < 9.0.8-r15
- (no CPE)range: < 9.0.8-r15
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.2.7-r2
- (no CPE)range: < 9.3.2-r2
- (no CPE)range: < 12.5.0-r0
- (no CPE)range: < 12.2.0-r2
- (no CPE)range: < 2.7.0-r7
- (no CPE)range: < 2.7.0-r7
- (no CPE)range: < 2.7.0-r7
- (no CPE)range: < 2.7.0-r7
- (no CPE)range: < 2.7.0-r7
- (no CPE)range: < 15.0.22-r4
- (no CPE)range: < 15.1.7-r11
- (no CPE)range: < 15.2.6-r12
- (no CPE)range: < 16.0.8-r2
- (no CPE)range: < 16.1.2-r2
- (no CPE)range: < 1.4.2-r8
- (no CPE)range: < 1.4.2-r7
- (no CPE)range: < 0.33.1-r13
- (no CPE)range: < 0.33.1-r8
- (no CPE)range: < 2025.0.8-r10
- (no CPE)range: < 2025.1.6-r8
- (no CPE)range: < 2025.2.4-r4
- (no CPE)range: < 2025.4.3-r5
- (no CPE)range: < 2026.0.2-r5
- (no CPE)range: < 2025.0.8-r12
- (no CPE)range: < 2025.1.6-r9
- (no CPE)range: < 2025.2.4-r5
- (no CPE)range: < 2025.4.3-r6
- (no CPE)range: < 2026.0.2-r6
- (no CPE)range: < 26.5.6-r3
- (no CPE)range: < 26.5.6-r3
- (no CPE)range: < 26.5.6-r3
- (no CPE)range: < 26.5.6-r3
- (no CPE)range: < 26.5.6-r3
- (no CPE)range: < 26.5.6-r3
- (no CPE)range: < 1.17.3-r13
- (no CPE)range: < 1.17.3-r13
- (no CPE)range: < 1.18.2-r7
- (no CPE)range: < 1.18.2-r7
- (no CPE)range: < 1.19.11-r7
- (no CPE)range: < 1.19.11-r7
- (no CPE)range: < 1.20.2-r7
- (no CPE)range: < 1.20.2-r7
- (no CPE)range: < 1.21.1-r7
- (no CPE)range: < 1.21.1-r7
- (no CPE)range: < 1.22.1-r1
- (no CPE)range: < 1.22.1-r1
- (no CPE)range: < 1.17.3-r3
- (no CPE)range: < 1.17.3-r3
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.19.11-r4
- (no CPE)range: < 1.19.11-r4
- (no CPE)range: < 1.20.2-r4
- (no CPE)range: < 1.20.2-r4
- (no CPE)range: < 1.21.1-r4
- (no CPE)range: < 1.21.1-r4
- (no CPE)range: < 1.22.1-r1
- (no CPE)range: < 1.22.1-r1
- (no CPE)range: < 0.12.0-r33
- (no CPE)range: < 4.14.0-r11
- (no CPE)range: < 0.1.114-r0
- (no CPE)range: < 0.1.114-r0
- (no CPE)range: < 0.1.114-r1
- (no CPE)range: < 2.19.4-r13
- (no CPE)range: < 2.19.4-r13
- (no CPE)range: < 2.19.4-r13
- (no CPE)range: < 2.19.4-r13
- (no CPE)range: < 3.6.0-r0
- (no CPE)range: < 3.6.0-r0
- (no CPE)range: < 3.5.0-r3
- (no CPE)range: < 3.5.0-r3
- (no CPE)range: < 3.6.0-r0
- (no CPE)range: < 3.5.0-r3
- (no CPE)range: < 3.5.0-r3
- (no CPE)range: < 3.6.0-r0
- (no CPE)range: < 3.5.0-r5
- (no CPE)range: < 3.6.0-r0
- (no CPE)range: < 3.5.0-r5
- (no CPE)range: < 3.5.0-r5
- (no CPE)range: < 3.5.0-r5
- (no CPE)range: < 3.5.0-r5
- (no CPE)range: < 3.5.0-r5
- (no CPE)range: < 3.6.0-r0
- (no CPE)range: < 1.4.0-r5
- (no CPE)range: < 1.4.0-r3
- (no CPE)range: < 3.5.28-r2
- (no CPE)range: < 2.6.0-r6
- (no CPE)range: < 3.5.8-r11
- (no CPE)range: < 3.5.8-r11
- (no CPE)range: < 4.0.2-r10
- (no CPE)range: < 4.1.1-r11
- (no CPE)range: < 3.5.8-r0
- (no CPE)range: < 3.5.8-r0
- (no CPE)range: < 4.1.1-r9
- (no CPE)range: < 0.51.0-r22
- (no CPE)range: < 4.3.1-r5
- (no CPE)range: < 4.3.1-r5
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 13.9-r11
- (no CPE)range: < 4.14.4-r0
- (no CPE)range: < 4.14.4-r0
- (no CPE)range: < 4.14.4-r0
- (no CPE)range: < 4.14.4-r0
- (no CPE)range: < 39.0.1-r3
- (no CPE)range: < 39.0.1-r3
- (no CPE)range: < 3.6.1-r1
- (no CPE)range: < 3.6.1-r1
- (no CPE)range: < 0.27.0-r0
- (no CPE)range: < 4.2.1-r0
- (no CPE)range: < 3.2.0-r3
- (no CPE)range: < 36.0.0-r12
- (no CPE)range: < 12.5.0-r0
- (no CPE)range: < 15.2.6-r12
- (no CPE)range: < 16.0.8-r2
- (no CPE)range: < 16.1.2-r2
- (no CPE)range: < 26.5.6-r3
- (no CPE)range: < 26.5.6-r3
- (no CPE)range: < 26.5.6-r3
- (no CPE)range: < 0.12.0-r33
- (no CPE)range: < 0.1.114-r0
- (no CPE)range: < 0.1.114-r1
- (no CPE)range: < 2.19.4-r13
- (no CPE)range: < 2.19.4-r13
- (no CPE)range: < 2.19.4-r13
- (no CPE)range: < 2.19.4-r13
- (no CPE)range: < 3.6.0-r0
- (no CPE)range: < 3.6.0-r0
- (no CPE)range: < 3.5.0-r3
- (no CPE)range: < 3.5.0-r3
- (no CPE)range: < 3.6.0-r0
- (no CPE)range: < 3.5.0-r3
- (no CPE)range: < 3.5.0-r3
- (no CPE)range: < 3.6.0-r0
- (no CPE)range: < 3.5.8-r11
- (no CPE)range: < 3.5.8-r11
- (no CPE)range: < 4.0.2-r10
- (no CPE)range: < 4.1.1-r11
- (no CPE)range: < 0.51.0-r22
- (no CPE)range: < 4.3.1-r5
- (no CPE)range: < 4.3.1-r5
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 480-r0
- (no CPE)range: < 13.9-r11
- (no CPE)range: < 39.0.1-r3
- (no CPE)range: < 39.0.1-r3
- (no CPE)range: < 3.6.1-r1
- (no CPE)range: < 3.6.1-r1
- (no CPE)range: < 4.1.132.Final
- (no CPE)range: < 4.1.132-150200.4.43.1
- (no CPE)range: < 4.1.132-1.1
- (no CPE)range: < 2.0.75-150200.3.36.1
- (no CPE)range: < 4.1.132-150200.4.43.1
- (no CPE)range: < 2.0.75-150200.3.36.1
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-w9fj-cfpg-grvvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33871ghsaADVISORY
- github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvvghsax_refsource_CONFIRMWEB
News mentions
1- ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & MoreThe Hacker News · Apr 27, 2026