wid-sec-w-2026-0846 · Published 2026-03-24 · View on BSI CERT-Bund ↗

Netty: Multiple Vulnerabilities

CVSS 8.7 HIGH

Risk Summary

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue. Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

CVEs (2)

CVE-2026-33870 CVE-2026-33871

Affected Vendors

Open Source SUSE

Affected Products (4)

Open Source · Netty <4.2.11

Open Source · Netty 4.2.11

Open Source · Netty <4.1.132

Open Source · Netty 4.1.132

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more