CVE-2026-33871
Published: 27 March 2026
Summary
CVE-2026-33871 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Netty Netty. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-5 directly protects against DoS attacks like the CONTINUATION frame flood by implementing limits on network traffic and resource consumption to prevent excessive CPU usage.
SC-6 ensures protection of critical resources such as CPU from exhaustion caused by unbounded processing of zero-byte CONTINUATION frames.
SI-2 mandates timely flaw remediation, including upgrading Netty to versions 4.1.132.Final or 4.2.10.Final that implement limits on CONTINUATION frames.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a resource exhaustion DoS via unbounded CONTINUATION frame processing in an HTTP/2 server, directly enabling application-layer CPU exhaustion as defined in T1499.003.
NVD Description
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack…
more
of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Deeper analysisAI
CVE-2026-33871 is a denial-of-service vulnerability in Netty, an asynchronous event-driven network application framework for building performant protocol servers and clients. It affects Netty HTTP/2 servers running versions prior to 4.1.132.Final and 4.2.10.Final. The flaw arises from the absence of limits on the number of CONTINUATION frames that can be processed, allowing attackers to bypass existing size-based mitigations by using zero-byte frames, which triggers excessive CPU consumption and renders the server unresponsive.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low bandwidth requirements. By flooding the server with CONTINUATION frames, the attacker causes high CPU usage, leading to denial of service. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).
Netty versions 4.1.132.Final and 4.2.10.Final address the issue by implementing appropriate limits and mitigations. Security practitioners should upgrade affected Netty instances to these fixed releases. Additional details are available in the GitHub Security Advisory at https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv.
Details
- CWE(s)