CVE-2026-47244— Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-47244
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
Source: NVD (National Vulnerability Database)
Vulnerability Description
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Netty 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Netty是Netty团队开源的一款非阻塞I/O客户端-服务器框架, 它主要用于开发Java网络应用程序,如协议服务器和客户端等。 Netty 4.1.135.Final之前版本和4.2.15.Final之前版本存在资源管理错误漏洞,该漏洞源于DefaultHttp2Connection.DefaultEndpoint将maxActiveStreams/maxStreams初始化为Integer.MAX_VALUE且Http2Settings默认不插入SETTINGS_MAX_CONCURRENT_STR
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-47244
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-47244
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-47244 (1)
Vendor Pages for CVE-2026-47244 (2)
Same Patch Batch · netty · 2026-06-12 · 19 CVEs total
| CVE-2026-45674 | 8.7 HIGH | Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records |
| CVE-2026-47691 | 8.7 HIGH | Netty has Insufficient Bailiwick Validation for NS Records |
| CVE-2026-44892 | 7.5 HIGH | Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounde |
| CVE-2026-44894 | 7.5 HIGH | Netty's Default QUIC token handler accepts any client-supplied token |
| CVE-2026-44893 | 7.5 HIGH | Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length |
| CVE-2026-46340 | 7.5 HIGH | Netty: SCTP reassembly nests buffers without bound |
| CVE-2026-50011 | 7.5 HIGH | Netty has unbounded pre-allocation in RedisArrayAggregator from RESP array length |
| CVE-2026-50010 | 7.5 HIGH | Netty's wrapping plain trust manager silently disables hostname verification |
| CVE-2026-48748 | 7.5 HIGH | Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion |
| CVE-2026-45416 | 7.5 HIGH | Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes |
| CVE-2026-45673 | 6.8 MEDIUM | Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port |
| CVE-2026-48043 | 5.3 MEDIUM | netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Lea |
| CVE-2026-50020 | 5.3 MEDIUM | Netty's HttpObjectDecoder skips arbitrary initial control characters when only initial CRL |
| CVE-2026-50009 | 4.8 MEDIUM | Netty QUIC stateless reset token material exposed through header-visible connection IDs |
| CVE-2026-45536 | 4.0 MEDIUM | Netty: Unix-socket fd receive leaks descriptors when peer sends two at once |
| CVE-2026-50560 | Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature | |
| CVE-2026-48006 | Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator | |
| CVE-2026-48059 | Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memo |
IV. Related Vulnerabilities
Same product: netty
- CVE-2026-50560
Netty susceptible to HTTP/2 Reset Attack with different on-t - CVE-2026-50020
Netty's HttpObjectDecoder skips arbitrary initial control ch - CVE-2026-50011
Netty has unbounded pre-allocation in RedisArrayAggregator f - CVE-2026-50010
Netty's wrapping plain trust manager silently disables hostn - CVE-2026-50009
Netty QUIC stateless reset token material exposed through he
Same vendor: netty
- CVE-2026-50560
Netty susceptible to HTTP/2 Reset Attack with different on-t - CVE-2026-50020
Netty's HttpObjectDecoder skips arbitrary initial control ch - CVE-2026-50011
Netty has unbounded pre-allocation in RedisArrayAggregator f - CVE-2026-50010
Netty's wrapping plain trust manager silently disables hostn - CVE-2026-50009
Netty QUIC stateless reset token material exposed through he
Same weakness: CWE-400
- CVE-2026-45357
LiquidJS: Memory and render limit bypass via unbounded width - CVE-2026-44645
LiquidJS has a renderLimit DoS guard bypass via empty `{% fo - CVE-2024-24769
Vantage6: No limit on emails sent for password/MFA reset - CVE-2026-48990
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry p - CVE-2026-48988
markdown-it: Quadratic complexity DoS in smartquotes rule vi
V. Comments for CVE-2026-47244
No comments yet