Cyber Resilience

CVE-2026-33012

HighDDoS

Published: 20 March 2026

Published
20 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 17.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33012 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Objectcomputing Micronaut. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-33012 is a denial-of-service vulnerability in the Micronaut Framework, a JVM-based full-stack Java framework for building modular, easily testable applications. It affects versions 4.7.0 through 4.10.16, specifically in the DefaultHtmlErrorResponseBodyProvider component, which uses an unbounded ConcurrentHashMap cache without an eviction policy. This flaw, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), allows attackers to trigger unbounded heap growth by influencing exception messages, such as those incorporating request query parameters, ultimately leading to an OutOfMemoryError. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Remote attackers require no privileges or user interaction to exploit this vulnerability. By sending crafted requests that cause the application to throw exceptions with attacker-controlled messages, they can repeatedly populate the cache, consuming heap memory until the service crashes with an OutOfMemoryError, resulting in denial of service.

The vulnerability has been addressed in Micronaut Framework version 4.10.7. Official mitigation guidance from the project's security advisory (GHSA-2hcp-gjrf-7fhc) and related GitHub resources recommends upgrading to the fixed version, with the patch detailed in commit 1e2ba2c14386af3d47751732d02053a72b0b49b3 and release notes available for v4.10.17.

EU & UK References

Vulnerability details

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions 4.7.0 through 4.10.16 used an unbounded ConcurrentHashMap cache with no eviction policy in its DefaultHtmlErrorResponseBodyProvider. If the application throws an exception whose…

more

message may be influenced by an attacker, (for example, including request query value parameters) it could be used by remote attackers to cause an unbounded heap growth and OutOfMemoryError, leading to DoS. This issue has been fixed in version 4.10.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes remote exploitation of an unbounded cache flaw (via crafted exception-triggering requests) that directly causes application-level memory exhaustion and crash, mapping to T1499.004 Application or System Exploitation for denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33013Same product: Objectcomputing Micronaut
CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770

Affected Assets

objectcomputing
micronaut
4.7.0 — 4.10.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 Denial-of-service Protection directly limits the impact of remote attackers exploiting the unbounded ConcurrentHashMap cache to cause heap exhaustion and OutOfMemoryError.

prevent

SC-6 Resource Availability enforces quotas and throttling on memory resources to prevent unbounded heap growth from repeated caching of attacker-influenced exception messages.

prevent

SI-11 Error Handling ensures exceptions in the DefaultHtmlErrorResponseBodyProvider do not compromise system resources through unsafe caching mechanisms.

References