PatchSiren cyber security CVE debrief
CVE-2026-44892 netty CVE debrief
CVE-2026-44892 is a HIGH severity vulnerability in the Netty network application framework. The `Http3ConnectionHandler` in the Netty HTTP/3 codec has a default configuration that lacks an enforced maximum header size limit. When a peer does not specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an `OutOfMemoryError`. The vulnerability has a CVSS score of 7.5 and was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-44892).
- Vendor
- netty
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Netty's HTTP/3 codec, particularly those who have not upgraded to version 4.2.15.Final, should be aware of this vulnerability.
Technical summary
The default configuration of the `Http3ConnectionHandler` in Netty's HTTP/3 codec lacks an enforced maximum header size limit. This can be exploited by a malicious client or server to cause a Denial of Service via OutOfMemoryError.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Netty version 4.2.15.Final or later.
- Review and adjust the configuration of the `Http3ConnectionHandler` to enforce a maximum header size limit.
Evidence notes
The vulnerability was patched in Netty version 4.2.15.Final. [ref-4](https://github.com/netty/netty/releases/tag/netty-4.2.15.Final) and [ref-5](https://github.com/netty/netty/security/advisories/GHSA-c2rx-5r8w-8xr2) provide additional information.
Official resources
CVE-2026-44892 was published on 2026-06-12T05:16:32.007Z and modified on 2026-06-12T15:55:06.377Z.