PatchSiren cyber security CVE debrief
CVE-2026-44891 netty CVE debrief
CVE-2026-44891 is a denial of service vulnerability in Netty's StompSubframeDecoder. The issue is fixed in Netty versions 4.1.136.Final and 4.2.16.Final. This vulnerability allows an attacker to send a large number of short headers that accumulate in memory, causing an OutOfMemoryError and denial of service for servers exposing a STOMP endpoint based on StompSubframeDecoder. Users of affected versions should review and apply the fixes.
- Vendor
- netty
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of Netty versions prior to 4.1.136.Final and 4.2.16.Final who expose a STOMP endpoint based on StompSubframeDecoder should review and apply the fixes. This includes operators, platform administrators, vulnerability management teams, and security teams responsible for Netty deployments.
Technical summary
The io.netty.handler.codec.stomp.StompSubframeDecoder in Netty fails to limit the total number of headers or their cumulative size per frame. An attacker can send a large number of short headers that accumulate in memory, causing an OutOfMemoryError and denial of service. This issue is fixed in Netty versions 4.1.136.Final and 4.2.16.Final. Affected users should update to these versions or apply mitigations.
Defensive priority
High
Recommended defensive actions
- Inventory and verify Netty versions, focusing on those exposing STOMP endpoints.
- Apply updates to Netty versions 4.1.136.Final or 4.2.16.Final.
- Implement monitoring for OutOfMemoryError occurrences.
- Review and restrict STOMP endpoint exposure.
- Consider compensating controls like rate limiting.
- Track exceptions and retest remediated assets.
- Review relevant monitoring, detection, and logs for exposed assets.
Evidence notes
Official CVE and NVD records confirm the vulnerability. Limited details are available on exploitability and affected scope. Defenders should verify Netty version usage, especially in STOMP endpoint exposures, and monitor for OutOfMemoryError occurrences. Evidence is based on CVE and NVD records, with limited additional context.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T21:17:06.250Z and has not been modified since then.