CVE-2026-44892 – Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size

CVE ID :CVE-2026-44892

Published : June 12, 2026, 5:04 a.m. | 16 minutes ago

Description :Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an `OutOfMemoryError`. Version 4.2.15.Final contains a patch.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-45169 – Idira Privileged Access Manager (PAM) Self-Hosted Vault: Denial of Service due to Unexpected Input Processing

CVE-2026-48613 – phpBB SQL Injection via Profile Field Migration

CVE-2026-48612 – Okta OAuth Account Linking Vulnerability

CVE-2026-48611 – Google OAuth Account Hijacking Vulnerability