Vulnerability Details CVE-2026-44892
Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an `OutOfMemoryError`. Version 4.2.15.Final contains a patch.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 37.9%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-44892
-
cpe:2.3:a:netty:netty:4.2.0
-
cpe:2.3:a:netty:netty:4.2.1
-
cpe:2.3:a:netty:netty:4.2.10
-
cpe:2.3:a:netty:netty:4.2.11
-
cpe:2.3:a:netty:netty:4.2.12
-
cpe:2.3:a:netty:netty:4.2.13
-
cpe:2.3:a:netty:netty:4.2.14
-
cpe:2.3:a:netty:netty:4.2.2
-
cpe:2.3:a:netty:netty:4.2.3
-
cpe:2.3:a:netty:netty:4.2.4
-
cpe:2.3:a:netty:netty:4.2.5
-
cpe:2.3:a:netty:netty:4.2.6
-
cpe:2.3:a:netty:netty:4.2.7
-
cpe:2.3:a:netty:netty:4.2.8
-
cpe:2.3:a:netty:netty:4.2.9