Netty: Four High-Severity DoS Vulnerabilities Disclosed Together

Key findings

• Four high-severity DoS vulnerabilities disclosed in Netty on June 8, 2026.
• CVE-2026-44892: Unbounded header size in HTTP/3 codec default config leads to DoS.
• CVE-2026-44890 & CVE-2026-44250: Redis decoder and aggregator vulnerable to memory exhaustion.
• CVE-2026-44249: IPv6 subnet filter bypass due to incorrect comparator masking.
• All disclosed vulnerabilities are related to denial-of-service or resource exhaustion.

On June 8, 2026, a cluster of four high-severity denial-of-service (DoS) vulnerabilities was disclosed in the Netty Java network application framework. These vulnerabilities, all disclosed within minutes of each other, highlight potential weaknesses in default configurations and specific codec implementations, which could allow attackers to exhaust server resources and disrupt service availability.

The disclosures primarily revolve around memory exhaustion and unbounded resource consumption. One significant vulnerability, CVE-2026-44892, stems from a vulnerable default configuration in Netty's HTTP/3 codec. Specifically, the Http3ConnectionHandler lacks an enforced maximum header size limit. When a peer does not explicitly set HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE, Netty defaults to an unbounded limit, enabling attackers to send excessively large headers and trigger a DoS.

Further memory exhaustion issues were identified within Netty's Redis handling components. CVE-2026-44890 points to unbounded direct memory consumption in the RedisDecoder. Attackers can exploit this by sending crafted Redis payloads across multiple connections without proper terminators. This crafted input can exhaust the server's direct memory pool, leading to OutOfDirectMemoryError and preventing legitimate connections. Similarly, CVE-2026-44250 details a memory exhaustion vulnerability in the RedisArrayAggregator. By sending a Redis payload with deeply nested arrays, an attacker can force the server to allocate a massive number of state objects and collections, ultimately causing an OutOfMemoryError.

Beyond memory exhaustion, one vulnerability addresses an access control bypass. CVE-2026-44249 describes an IPv6 subnet filter bypass. This occurs due to an incorrect comparator masking operation within the IpSubnetFilterRule.compareTo() method. The flawed bitwise AND operation allows valid public IP addresses to bypass configured subnet restrictions, potentially granting unauthorized access or enabling malicious activity.

All four vulnerabilities were disclosed on the same day, indicating a coordinated disclosure event. The severity of these issues, all rated as high, underscores the importance of reviewing Netty configurations and ensuring that all components are updated to patched versions. Users are advised to consult the official Netty advisories for specific version information and recommended mitigation steps. The timely disclosure and patching of these vulnerabilities are crucial for maintaining the security and stability of applications built upon the Netty framework.

This batch of vulnerabilities emphasizes the need for developers using Netty to be vigilant about default configurations and the potential for resource exhaustion attacks. Keeping Netty updated and carefully reviewing security configurations are essential practices to prevent service disruptions and potential security breaches.