CVE-2026-33012
Published: 20 March 2026
Summary
CVE-2026-33012 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Objectcomputing Micronaut. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-5 Denial-of-service Protection directly limits the impact of remote attackers exploiting the unbounded ConcurrentHashMap cache to cause heap exhaustion and OutOfMemoryError.
SC-6 Resource Availability enforces quotas and throttling on memory resources to prevent unbounded heap growth from repeated caching of attacker-influenced exception messages.
SI-11 Error Handling ensures exceptions in the DefaultHtmlErrorResponseBodyProvider do not compromise system resources through unsafe caching mechanisms.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote exploitation of an unbounded cache flaw (via crafted exception-triggering requests) that directly causes application-level memory exhaustion and crash, mapping to T1499.004 Application or System Exploitation for denial of service.
NVD Description
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions 4.7.0 through 4.10.16 used an unbounded ConcurrentHashMap cache with no eviction policy in its DefaultHtmlErrorResponseBodyProvider. If the application throws an exception whose…
more
message may be influenced by an attacker, (for example, including request query value parameters) it could be used by remote attackers to cause an unbounded heap growth and OutOfMemoryError, leading to DoS. This issue has been fixed in version 4.10.7.
Deeper analysisAI
CVE-2026-33012 is a denial-of-service vulnerability in the Micronaut Framework, a JVM-based full-stack Java framework for building modular, easily testable applications. It affects versions 4.7.0 through 4.10.16, specifically in the DefaultHtmlErrorResponseBodyProvider component, which uses an unbounded ConcurrentHashMap cache without an eviction policy. This flaw, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), allows attackers to trigger unbounded heap growth by influencing exception messages, such as those incorporating request query parameters, ultimately leading to an OutOfMemoryError. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Remote attackers require no privileges or user interaction to exploit this vulnerability. By sending crafted requests that cause the application to throw exceptions with attacker-controlled messages, they can repeatedly populate the cache, consuming heap memory until the service crashes with an OutOfMemoryError, resulting in denial of service.
The vulnerability has been addressed in Micronaut Framework version 4.10.7. Official mitigation guidance from the project's security advisory (GHSA-2hcp-gjrf-7fhc) and related GitHub resources recommends upgrading to the fixed version, with the patch detailed in commit 1e2ba2c14386af3d47751732d02053a72b0b49b3 and release notes available for v4.10.17.
Details
- CWE(s)