PatchSiren cyber security CVE debrief
CVE-2026-50560 netty CVE debrief
CVE-2026-50560 is a vulnerability in Netty, a network application framework. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. The vulnerability is caused by the `SETTINGS_MAX_HEADER_LIST_SIZE` setting in the http2 specification. When a client sends this setting to Netty, it can cause Netty to behave in a way that is similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
- Vendor
- netty
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-15
Who should care
Users of Netty prior to versions 4.1.135.Final and 4.2.15.Final should be aware of this vulnerability and take steps to upgrade to a patched version.
Technical summary
The vulnerability is caused by the `SETTINGS_MAX_HEADER_LIST_SIZE` setting in the http2 specification. When a client sends this setting to Netty, it can cause Netty to behave in a way that is similar to the http2 reset attack, but with a different on-the-wire signature.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Netty version 4.1.135.Final or 4.2.15.Final or later.
- Review and adjust the `SETTINGS_MAX_HEADER_LIST_SIZE` setting in your Netty configuration.
Evidence notes
The CVE-2026-50560 vulnerability was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-50560) and has a CVSS score of 6.9. More information can be found on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-50560).
Official resources
CVE-2026-50560 was published on 2026-06-12T16:16:32.847Z and modified on 2026-06-12T16:18:27.287Z.