CVE-2026-50560
MEDIUMNetty susceptible to HTTP/2 Reset Attack with different on-the-wire signature
Title source: cnaDescription
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm
X_Refsource_Misc x_refsource_misc
https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
X_Refsource_Misc x_refsource_misc
https://github.com/netty/netty/releases/tag/netty-4.2.15.Final
X_Refsource_Misc x_refsource_misc
https://www.rfc-editor.org/rfc/rfc9113.html#name-defined-settings
Scores
CVSS v3
5.3
EPSS
0.0030
EPSS Percentile
21.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (5)
io.netty/netty-codec-http2
0 - 4.1.135.FinalMaven
io.netty/netty-codec-http2
4.2.0.Final - 4.2.15.FinalMaven
netty/netty
< 4.1.135
netty/netty
< 4.1.135.Final
netty/netty
>= 4.2.0.Final, < 4.2.15.Final
Published
Jun 12, 2026
Tracked Since
Jun 12, 2026