PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44891 netty CVE debrief

CVE-2026-44891 is a denial of service vulnerability in Netty's StompSubframeDecoder. The issue is fixed in Netty versions 4.1.136.Final and 4.2.16.Final. This vulnerability allows an attacker to send a large number of short headers that accumulate in memory, causing an OutOfMemoryError and denial of service for servers exposing a STOMP endpoint based on StompSubframeDecoder. Users of affected versions should review and apply the fixes.

Vendor
netty
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Netty versions prior to 4.1.136.Final and 4.2.16.Final who expose a STOMP endpoint based on StompSubframeDecoder should review and apply the fixes. This includes operators, platform administrators, vulnerability management teams, and security teams responsible for Netty deployments.

Technical summary

The io.netty.handler.codec.stomp.StompSubframeDecoder in Netty fails to limit the total number of headers or their cumulative size per frame. An attacker can send a large number of short headers that accumulate in memory, causing an OutOfMemoryError and denial of service. This issue is fixed in Netty versions 4.1.136.Final and 4.2.16.Final. Affected users should update to these versions or apply mitigations.

Defensive priority

High

Recommended defensive actions

  • Inventory and verify Netty versions, focusing on those exposing STOMP endpoints.
  • Apply updates to Netty versions 4.1.136.Final or 4.2.16.Final.
  • Implement monitoring for OutOfMemoryError occurrences.
  • Review and restrict STOMP endpoint exposure.
  • Consider compensating controls like rate limiting.
  • Track exceptions and retest remediated assets.
  • Review relevant monitoring, detection, and logs for exposed assets.

Evidence notes

Official CVE and NVD records confirm the vulnerability. Limited details are available on exploitability and affected scope. Defenders should verify Netty version usage, especially in STOMP endpoint exposures, and monitor for OutOfMemoryError occurrences. Evidence is based on CVE and NVD records, with limited additional context.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T21:17:06.250Z and has not been modified since then.