CVE-2024-4027
Published: 30 January 2026
Summary
CVE-2024-4027 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-4027 is a vulnerability in Undertow, where servlets that invoke the HttpServletRequestImpl.getParameterNames() method can trigger an OutOfMemoryError. This occurs when a client sends an HTTP request containing large parameter names, leading to excessive memory consumption. The flaw is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-20 (Improper Input Validation).
An unauthorized remote attacker can exploit this vulnerability by crafting and sending an HTTP request with oversized parameter names to a vulnerable Undertow instance. Successful exploitation results in a denial-of-service (DoS) condition, as the server exhausts available memory and becomes unresponsive.
Red Hat has published a security advisory with details on affected products, patches, and mitigation steps at https://access.redhat.com/security/cve/CVE-2024-4027. Additional technical information is available in the Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2276410.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-32593
Vulnerability details
A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote…
more
denial-of-service (DoS) attack.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing web component (Undertow) via crafted HTTP input to trigger application-level DoS via resource exhaustion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring timely remediation of the Undertow flaw through vendor patches to prevent OutOfMemoryError exploitation.
Implements input validation to check HTTP parameter names for excessive size, preventing memory exhaustion from improper validation.
Protects against denial-of-service attacks by limiting the effects of memory-exhausting HTTP requests with large parameter names.