PatchSiren cyber security CVE debrief
CVE-2026-47244 netty CVE debrief
CVE-2026-47244 is a vulnerability in Netty's HTTP/2 server implementation. Prior to versions 4.1.135.Final and 4.2.15.Final, the server could allocate excessive stream objects, potentially leading to resource exhaustion and amplification attacks. The issue arises from the DefaultHttp2Connection.DefaultEndpoint initializing maxActiveStreams/maxStreams to Integer.MAX_VALUE and Http2Settings not inserting SETTINGS_MAX_CONCURRENT_STREAMS by default.
- Vendor
- netty
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Netty's HTTP/2 server implementation, especially those who have not explicitly set a limit on concurrent streams, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by the DefaultHttp2Connection.DefaultEndpoint initializing maxActiveStreams/maxStreams to Integer.MAX_VALUE. Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), the Netty HTTP/2 server advertises no limit and enforces none locally. This can lead to the creation of hundreds of thousands of long-lived stream objects, which can cause resource exhaustion and potentially be used for amplification attacks.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Netty version 4.1.135.Final or 4.2.15.Final or later.
- Explicitly set a limit on concurrent streams using initialSettings().maxConcurrentStreams(n).
Evidence notes
The vulnerability is addressed in Netty versions 4.1.135.Final and 4.2.15.Final. Users can find more information at [ref-4], [ref-5], and [ref-6].
Official resources
CVE-2026-47244 was published on 2026-06-12T15:16:29.217Z and modified on 2026-06-12T15:55:06.377Z.