CVE-2026-50560
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
Netty, a network application framework, prior to versions 4.1.135.Final and 4.2.15.Final had an issue with handling max HTTP/2 header size, allowing an attack similar to HTTP/2 Rapid Reset. This could result in exceptions when writing response headers during request processing.
Risk Assessment
Organizations using vulnerable versions of Netty may be exposed to attacks that could disrupt application functionality and potentially lead to data loss.
Recommendation
It is recommended to upgrade Netty to versions 4.1.135.Final or 4.2.15.Final to mitigate this vulnerability.
Original NVD description (English source)
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

