CVE-2026-47244 - Medium Severity Vulnerability
Vulnerable Libraries - netty-codec-http2-4.1.76.Final.jar, netty-codec-http2-4.1.67.Final.jar
netty-codec-http2-4.1.76.Final.jar
Library home page: https://netty.io/
Path to dependency file: /OPENAPI-REST-API/openapi-client/java-micronaut-client/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.76.Final/netty-codec-http2-4.1.76.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.76.Final/199f8352c0f19e5be97a0eac6a0b65d8f7da4218/netty-codec-http2-4.1.76.Final.jar
Dependency Hierarchy:
- micronaut-bom-3.4.3.pom (Root Library)
- ❌ netty-codec-http2-4.1.76.Final.jar (Vulnerable Library)
netty-codec-http2-4.1.67.Final.jar
Library home page: https://netty.io/
Path to dependency file: /OPENAPI-REST-API/swagger-client/micronaut/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.67.Final/netty-codec-http2-4.1.67.Final.jar
Dependency Hierarchy:
- micronaut-http-client-3.0.0.jar (Root Library)
- micronaut-http-netty-3.0.0.jar
- ❌ netty-codec-http2-4.1.67.Final.jar (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-47244
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-09
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.15.Final,https://github.com/netty/netty.git - netty-4.1.135.Final
Step up your Open Source Security Game with Mend here
CVE-2026-47244 - Medium Severity Vulnerability
netty-codec-http2-4.1.76.Final.jar
Library home page: https://netty.io/
Path to dependency file: /OPENAPI-REST-API/openapi-client/java-micronaut-client/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.76.Final/netty-codec-http2-4.1.76.Final.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.76.Final/199f8352c0f19e5be97a0eac6a0b65d8f7da4218/netty-codec-http2-4.1.76.Final.jar
Dependency Hierarchy:
netty-codec-http2-4.1.67.Final.jar
Library home page: https://netty.io/
Path to dependency file: /OPENAPI-REST-API/swagger-client/micronaut/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.67.Final/netty-codec-http2-4.1.67.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Publish Date: 2026-06-12
URL: CVE-2026-47244
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-06-09
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.15.Final,https://github.com/netty/netty.git - netty-4.1.135.Final
Step up your Open Source Security Game with Mend here