CVE-2026-50560

Vulnerability

The vulnerability resides in Netty's HTTP/2 codec (io.netty:netty-codec-http2). When a client sends the SETTINGS_MAX_HEADER_LIST_SIZE parameter (which per RFC 9113 is advisory), Netty enforces it but does so incorrectly: after reading and proxying the request, it attempts to write response headers and if they exceed the limit, an exception is thrown. This exception handling consumes server resources and leads to behavior similar to the HTTP/2 Rapid Reset attack. Versions prior to 4.1.135.Final and 4.2.15.Final are affected [2][3].

Exploitation

An attacker must be able to establish an HTTP/2 connection to the target. No authentication is required. The attacker sends a SETTINGS frame specifying an artificially small SETTINGS_MAX_HEADER_LIST_SIZE, then issues one or more requests whose response headers exceed that size. For each such request, Netty processes the request, proxies it to the origin (if proxying), and then raises an exception while writing the response headers, repeatedly consuming CPU and memory.

Impact

Successful exploitation causes a denial-of-service (DDoS) condition, exhausting server resources (CPU and memory). The attack is similar in effect to the HTTP/2 Rapid Reset attack but uses a different on-the-wire signature. No data disclosure, privilege escalation, or filesystem access is achieved.

Mitigation

Netty released fixes in versions 4.1.135.Final and 4.2.15.Final [2][3]. The advisory [4] recommends treating the SETTINGS_MAX_HEADER_LIST_SIZE setting as purely advisory and ignoring it when acting as a server. Users unable to upgrade should consider disabling HTTP/2 support or applying network-layer rate limiting for HTTP/2 connections. No KEV listing has been published at this time.